Saturday, July 16, 2016
In EU law, member states of the EEA may not transfer personal data to a third State except that it ensures an adequate level of protection, which according to the Justice Court of the European Union (CJEU) must be understood as “essentially equivalent”. [1]
This equivalent can be provided by a contractual framework [2] relationships between the data controller and the data recipient.
what is an adequacy decision?
the adequacy level protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer or transfer operations and in particular the country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with.
the Member States and the Commission shall inform each other of cases where they consider that a third country does not ensure an adequate level of protection
the Commission may find that a third country ensures an adequate level of protection due to its domestic law or its international commitments to the protection of privacy and fundamental rights and freedoms of individuals. Member States must then comply with the Commission decision.
Background
In a judgment [3] dated October 6, 2015 the ECJ had invalidated the decision by which the European Commission found that the agreement signed with the Safe Harbor the United States guarantee an adequate level of protection for data transfers objects. This has helped to accelerate the course of events since the European Commission and the US authorities worked for two years to draft a new agreement.
The European Commission published a draft decision in February last to obtain the opinion of the European Parliament, the G29 and the European data protection Supervisor. These have all been critical opinion as to the legal guarantees offered by the Privacy Shield.
However, on 8 July, the European Commission has formally recognized the Privacy Shield as a legal instrument guaranteeing a level of protection adequate. After analyzing in detail the US law and practice, the Commission concluded that the principles of Privacy Shield provided in Annexes (unchanged) ensured an adequate level of protection. It notes in fact that American policy adopted by the Obama administration and intelligence agencies limit the monitoring of people, it ‘target’ ‘specific’ people and does not conduct mass surveillance.
what is the Privacy Shield?
like the Safe Harbor, the Privacy Shield is a self-certification system whereby American companies acting as that data controllers or subcontractors, say join the agreement and undertake to respect its principles.
the US Commerce Department will oversee the Privacy Shield. He will check the privacy policy of the organizations consistent with the principles of public and accessible Privacy Shield and companies that no longer adhere to the agreement continue to respect its principles as they hold personal data. The ex-ante controls will be limited to questionnaires; in case of complaint and in the absence of a satisfactory response or if clear evidence of a violation of the principles, ex-post controls will be systematic.
The Federal Trade Commission (FTC) and the Department Transport will take charge of its implementation and must cooperate with the European national authorities to data protection.
as is always better in articulating, text specifies that companies whose activities fall within the scope of the application of Article 3 of Regulation (GDPR) will not be content to assert their adherence to Privacy Shield to demonstrate compliance with the Regulations.
principles of Privacy Shield
Apart from exceptions (national security, public interest, law enforcement), certified organizations Privacy Shield will commit to a number of principles.
the principle of information (notice principle) is to inform people about the processing of data concerning them, to publish the privacy policy and make it available on the websites of the FTC, in the list of Privacy Shield and on the website dispute resolution.
the principle of integrity of the data that the data must be reliable, current, accurate, complete, and the principle of special purpose under which it can not be of use further personal data for a purpose incompatible with the collection.
the principle of selection which nevertheless allows the person in case of new purpose “compatible” to oppose the treatment [4] ( Opt-Out)
The security principle that requires adherents to Privacy Shield and their subcontractors to take reasonable and appropriate measures taking into account the risks.
The principle data access can be restricted only in exceptional cases. People have the right to correct or remove inaccurate or processed contrary to the principles of data. For employees, organizations have the obligation to cooperate in providing direct access to data or through the employer in Europe.
Queries regarding the automated processing used to make decisions affecting persons: in a number of specific cases (credit, employment, mortgages), US laws provide safeguards against the damaging decisions. However due to the increasing number of automated processes including profiling purposes to take vis-à-vis those decisions, the Commission and the US authorities decided to “initiate a dialogue on decisions based on automated processing and to exchange views before the annual review of the Privacy Shield. “
Application and responsibility for subsequent transfers
the self certification will make the application of mandatory principles.
organizations will renew their membership each year. They will take the verification measures that the principles and compliance; this can be done in the form of self-assessment (procedures and internal training) or external evaluation. Organizations will set up a dispute resolution mechanism and will be subject to US control authorities
Privacy Shield strengthens the accountability of US organizations for subsequent transfers of data to third countries. Transfers must have a limited and specific purpose. They will be subject to a contract ensuring compliance with the principles of the Privacy Shield, forcing recipients to inform the certificate holder since it would no longer be able to respect these principles and providing for the deletion of data or character identifier once the realized purpose. As for sensitive data transfer, they will be subject to an express consent of the people. Finally, in case of improper treatment in the chain of subcontracting, the data controller must prove that he is not responsible for the cause of the damage.
For treatments on data personal employees the text provides an important exception to the obligation to set up an “agreement on further transfers” if respect for the principles Privacy Shield is guaranteed by other instruments such as group Internal Rules (BCR [ 5]) or other legal tools in the group (eg. the compliance and control programs). This allows greater flexibility when sharing data with affiliates or subcontractors of a group.
The American organizations dealing with European employees of data should take into account the risks related to intervention of the European CNIL before opting for the Shield. Privacy
dispute Resolutions, remedies and decisions applying safeguards
European residents will have many dispute resolution options:
the person will first complain to the company concerned, which must respond within 45 days. If the employee data, the certificate holder will be required to undertake to comply with the advice given by the National Authority for data protection.
Organizations can propose a mechanism of dispute resolution (Alternative dispute resolution) without charge or private programs (Privacy programs).
They can also accept the supervision of the European authorities for data protection (required if HR data). These will need to refer to the Department of Commerce, which will have 90 days to respond or the FTC.
People may in any case apply to the CNIL of a Member State that send the complaint to the department of Trade and or the FTC.
in case of inaction by the national authority and if its intervention would be required, the person can sue the.
Finally, the ultimate possibility for failure of the ways outlined above, the person may resort to arbitration. The referees (from a panel of persons appointed by the Commission and the Department of Commerce) will issue binding decisions against the certified organizations. To limit the costs of actions to people, they will participate by video conference or telephone conference without translation costs.
This is a national security, Privacy Shield provides the intervention of an Ombudsperson, independent intelligence but under the direct authority of the Secretary of State.
the Ombudsperson will merely confirm to the person that the law has been respected or the otherwise, as compliance violations stopped. It will never deliver on the possible existence of surveillance activity.
Although people have several remedies at their disposal, they will fail to cover all situations falling within the executive acts President. [6]
data Access and use of personal data by US public authorities
following the revelations of Edward Snowden, in 2014 President Obama took a Presidential Directive [7] (PPD-28) to oversee intelligence operations.
“USA Freedom Act” also limits the massive data collection and allows publication of transparency reports on requests for access to data by the government.
It is clear that people have a legitimate interest in protecting their privacy.
on the other hand, the PPD28 can not be used for purposes of economic intelligence.
the collection will be targeted and framed by defined procedures … where possible.
in cases where this is not possible “for technical or operational reasons,” mass collection should be limited to six limiting cases of national security.
Finally, the data retention must be limited to five years … in principle.
the US distinguishes data collection called “bulk” of the access and the use that can be made in a targeted manner. They indicate that Section 702 of FISA is the use of data for monitoring purposes “targeted”, not massive or indiscriminate
However it is recalled that the definition of foreign intelligence is very broad. it shall include the information concerning any person regardless of nationality and on the conduct of foreign affairs of the United States.
The Commission points out for its part, will continue to verify compliance US law; it will follow the conclusions of the report expected from the committee to assess the implementation of Directive PPD-28, and the revision of Section 702 of FISA (the origin of the PRISM and UPSTREAM programs) in 2017.
in addition, the Commission will be kept informed by the United States of the regulatory changes.
What future for Privacy Shield?
Far from being a fixed text, Privacy Shield is expected to be the starting point of an evolving legal framework for transfers of personal data across the Atlantic.
It will, at least, subject to annual review and upon application of the data protection Regulation in May 2018.
Since the invalidation of the Safe Harbor, part of US companies have chosen to sign the contractual clauses guys with their recipients (legal instrument to protect the data subject of a transfer to a third country). But despite sanction threats by the European CNIL, many other companies have preferred to procrastinate and wait for the adoption of a new agreement.
Yet, notwithstanding the adoption of Privacy Shield, a uncertainty continues to weigh on the future of personal data transfers to the United States. First, the Privacy Shield and the standard contractual clauses will be subject to legal action to challenge their validity. Furthermore, the Privacy Shield provides a level of protection equivalent to that provided by Directive 95/46, but this will be replaced by European Regulation from 2018.
Finally, n ‘ remember that national data protection authorities of the Member States have the power to temporarily or permanently ban on processing.
But who, apart from the authority of Schleswig Holstein [8] dare go that far -There?
[1] ECJ, October 6, 2015, Schrems, case C-362/14
[2] contractual clauses of the European Commission
[3] Judgment in case C-362/14. Maximillian Schrems / Data Protection Commissioner.
[4] Except in the case of treatment for archival purposes, journalism, literature and art, scientific and historical research, statistics
[5] Binding Corporate Rules
[6] Executive Order 12333 and PPD 28
[7] Presidential Policy Directive 28
[8] https: //www.datenschutzzentrum.de/artikel/981-.html
About
CIL Consulting is the main contact for organizations wishing to comply with the CNIL. Cabinet of independent consulting, specializing in the protection of personal data, CIL Consulting brings expertise and operational advice to fulfill your obligations and limit the risk of sanction.
No comments:
Post a Comment