EU Data Protection: Restoring Trust in Transatlantic Data Flows
In future transfer(s) of personal data from the EU to
the United States under the current Safe Harbor scheme is now regarded as
potentially unlawful. Therefore, the EU Commission has published a draft
with detailed provisions for the new data protection framework for the transfer
of personal data, now known as the E.U.-U.S. Privacy Shield.
When the new rules are formally adopted
and expected to take effect in June 2016 the obligations, protections
and preparation for its implementation are outlined in the standard for
international data transfers under the European Data Protection Directive
95/46/EC.
It provides an indication of the likely structure and content of the replacement
data framework. Several changes are required before the proposed Privacy
Shield can be implemented. EU is likely to impose additional requirements
rather than a watering down of the current proposals.
From Safe Harbor To Privacy Shield
To rely on the Privacy Shield; an organisation will be required to self-certify
its adherence to seven core principles ("Privacy Principles"). The seven
Privacy Principles under the Privacy Shield can be summarised as follows:
- Notice: Organisations must notify data subjects of thirteen
separate matters, including the types of personal data collected,
the purposes of the particular (personal) database and its use. The
identity of all third parties to which personal data is or will be
disclosed and the person's right to access, use, and have knowledge
of the personal data.
- Choice: Organisations must offer each the possibility to
opt out of disclosure of their personal information to third parties.
If the usage of the personal data is materially different from the
purposes for which it was originally collected or subsequently authorised,
additional controls can be applied to the processing of sensitive
personal data.
- Accountability for data transfer: The transfers of personal
data to all third parties (organiser or processing agent) may only
take place for limited and specified purposes. The affiliation is
subject to a written agreement that the third party will afford equivalent
protections to comply with the Privacy Principles.
- Security: Organisations must take reasonable and appropriate
action and measures to ensure and protect personal data from loss,
misuse and unauthorised access, disclosure, alteration, and destruction.
- Integrity and Limitation: Personal data must be limited to
information that is relevant for processing the matter at hand. Management
must take reasonable steps to ensure that information is consistent
for its intended use. Processes and controls must ensure that accurate,
complete and current personal data is retained).
- Access: Each person must have access to his personal data
with the possibility to correct, amend or delete the information whenever
it is inaccurate, processed or in violation of the Privacy Principles.
- Recourse, Enforcement, and Liability: Organisations must
implement robust control mechanisms for assuring compliance with the
Privacy Principles. Management must ensure that individuals' complaints
and disputes are investigated and resolved without any cost to them.
Controls to monitor and verify that representations and attestations
contained within their privacy policies are accurate are established.
When preparing for implementation, review, or self-attestation of any
overseas transfers of personal data, businesses must document that their
data collection processes do not collect more personal data than is necessary
and that the data and the database is tightly secured and protected.
Contact us if you need
guidance on your Privacy Shield self-certification, updating policies
and procedures, taking the right steps to ensure that the websites are
up-to-date and include details of the new privacy policies, public disclosures
under the new framework. We undertake a review and assessment of the Privacy
Shield arrangements including the inevitable transfer of personal data
to third parties.
Source; http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm
April 14, 2016. The EU Data Privacy Regulation was adopted, while the
EU-U.S. Privacy Shield failed at the European Parliament. The new
privacy regulation is due to come into force in the first quarter of 2018.
The same consensus could not be reached for Article 29. As of now the
parliament has rejected the EU Commission's proposal for EU-US Privacy
Shield, which is intended to replace the annulled Safe Harbor scheme.
More in the next newsletter.