This weeks blog is by Tanya Corsie, Iken Business Ltd, LLG Corporate PartnerPublish date: 26/08/2016
The EU-US Privacy Shield (effective from 12th July 2016) is the replacement for the Safe Harbour arrangement (invalid since October 2015) and aims to deal with the eighth principle of the Data Protection Act prohibiting the transfer of personal data outside of the EEA.
Similarities remain with its predecessor namely that the scheme is self-certifying with US businesses certifying annually with the Department of Commerce (effective from 1 August 2016). The main principles from Safe Harbour are also present with the Privacy Shield, namely: notice, choice, accountability, security, purpose limitation, access and liability. However, the Privacy Shield is more stringent with the implementation of these principles.
Two areas of particular interest to local authorities are as follows:
- Participating companies must ensure that any third parties to whom they transfer data comply with the same level of protection as the participating company. This will affect any authority using browser based or pure cloud (hosted) systems that are based or have datacentres in the US. Participating companies must display their privacy policies on their website which should be readily accessible by the public.
- There is still some controversy surrounding access to data by US public authorities regarding limitations, safeguards and oversight mechanisms. The Article 29 Working Party has expressed concerns that the limitations do not go far enough and may be subject to the same type of challenges that Safe Harbour instigated (Schrems v Facebook).
There may well be further implications once Brexit is underway, especially with regards to how we actually exit the EU, primarily if we also exit the EEA.
Director and Chief Operating Officer, Iken Business Ltd