Last month, the data protection authorities of the German states of Hessen and Bavaria released a statement regarding the EU-US Privacy Shield (warning: it’s in German). The statement announces that both authorities have extensive information about the Privacy Shield on their websites, including a unified complaint form for data subjects.
This release comes amid increasing concerns over the future of the Privacy Shield. The data transfer framework came into force on August 1, 2016, replacing Safe Harbor as the legal basis for transferring data between the EU and US, but has been met with heavy criticism. One of its critics is European Privacy campaigner Max Schrems, who described the framework as muddled and “very likely to fail.”
New concerns over the Privacy Shield emerged this year with the inauguration of President Trump. Earlier this month, TechCrunch wrote that the Privacy Shield looks “especially precarious in Trump’s America, given the president’s apparent disregard for the rights of non-Americans.”
Privacy Shield review
The EU and US are currently conducting a joint annual review of the Privacy Shield, with a report set to be published in September. Prior to the review, the Article 29 Working Party (WP29), an advisory body made up of representatives from each EU member state, sent a letter to the European Commission detailing its concerns about the framework, stating:
[For] the commercial part, the WP29 has questions concerning, among others, the existence of legal guarantees regarding automated decision making or the existence of any guidance made available by the [Department of Commerce] regarding the application of the Privacy Shield principles to organisations acting as agents/processors. Clarifications that will be sought also include the definition human resources data.
Regarding the law enforcement and national security part, [the WP29] has questions relating in particular to the latest developments of US law and jurisprudence in the field of privacy. The WP29 also seeks, inter alia, precise evidence to show that bulk collection, when it exists, is “as tailored as feasible”, limited and proportionate.
The Privacy Shield and the GDPR
The rules surrounding EU residents’ personal data are set to change next year with the enforcement of the EU General Data Protection Regulation (GDPR). US organizations that process EU residents’ personal data will be able to comply with the GDPR via the Privacy Shield, at least for now.
If you want to learn more about the GDPR, you should consider registering for one of our training courses. Our Certified EU General Data Protection Regulation (GDPR) Foundation and Practitioner Combination online course provides a comprehensive introduction to the requirements of the GDPR and a practical guide to planning, implementing, and maintaining a GDPR compliance program.
If you book by July 31, 2017, you’ll receive a $400 discount, as well as 20% off our GDPR toolkit.