International data processing
The internationalization of work and business processes is ongoing. As companies and group of companies are more and more working on an international level, the data protection questions regarding cross-border data transferring are getting more complex. There is an increased need for information, especially with regard to the European General Data Protection Regulation and the current developments regarding Safe Harbor.
Therefore, the BayLDA has collected links with a focus on cross-border data transferring. Hopefully, this will help to understand the issues and to deal with them.
EU-U.S. Privacy Shield effective
As of 1st August 2016, U.S. companies can certify under the EU-U.S. Privacy Shield. Companies which have obtained certifications are listed on the list published on the Website of the U.S. Department of Commerce. Despite criticism expressed by the data protection authorities, due to the binding effect of the European Commission's decision on the EU-U.S. Privacy Shield, the Shield can serve as a basis for transfers of personal data to U.S. companies that have certified. Before transferring personal data, the European data controller (e.g. company) responsible for the transfer has to verify whether the U.S. company receiving the data is listed on the Privacy Shield list published by the U.S. Department of Commerce. Furthermore, the transferring company has to check whether the categories of data transferred (human resources data = "HR"; other data = "Non HR") are comprised by the scope of the certification of the U.S. company that receives the data.
The European Commission has published a guide for citizens illustrating in particular the rights of the persons whose data are being transferred. The guide is available, among others, in German.
EU-US Privacy Shield adopted
On 12th July 2016 the European Commission adopted the EU-U.S. Privacy Shield. According to the Press Release of the European Commission on 12 July 2016 the US companies will be able to certify with the Commerce Department starting 1st August 2016. By doing so the US companies submit themselves to follow the rules of the EU-US Privacy Shield and gain the possibility to obtain personal data from Europe on the grounds of this framework. Based on this framework personal data from the EU can be transmitted to certified US companies (provided that also the remaining legal demands for a transmission of personal data are fulfilled.)
The European Commission will publish a short guide for citizens explaining the available remedies in case an individual considers that his personal data has been used without taking into account the data protection rules.
The European Commission will, after translating the decision on the EU-US Privacy Shield in the official languages, publish it in the Official Journal. As soon as the German text is available we will provide further information.
The US Department of Commerce has committed to maintaining an updated list of current Privacy Shield members and removing those companies that have left the arrangement. With it companies from the EU are able to investigate the certification of a US company. We will provide more information in this subject soon.
Besides the new instrument Privacy Shield exist still the possibilities to transmit personal data on the basis of Binding Corporate Rules (BCR) as well as Standard Contractual Clauses. However the effectiveness of the Standard Contractual Clauses is currently examined in legal proceedings in Ireland.
Please note: The transfer of personal data based on the EU-US Privacy shield is allowed as soon as the US companies certify with the Commerce Department what will not be possible until 1st of August 2016.
EU-US Privacy Shield: Opinion from the Article 29 Working Party
The Article 29 Working Party has performed an analysis of the European Commission's draft decision on the EU-U.S. Privacy Shield and, upon this basis, has issued an Opinion on the Privacy Shield, accompanied by a press release. Herein, the Working Party acknowledges several improvements brought by the draft Privacy Shield compared to the "Safe Harbor" precursor framework, which had been declared invalid by the European Court of Justice on 6th of October 2015. At the same time, however, the Working Party still has strong concerns regarding some of the aspects of the Privacy Shield. As a conclusion, the Article 29 Working Party has urged the European Commission to react to these concerns and provide further amendments accordingly in order to ensure an adequate level of protection by means of the Privacy Shield.
The opinion and the press release can be downloaded here.
EU-US Privacy Shield - Update
Yesterday the European Commission published particulars including the texts that will constitute the new data transfer mechanism called "EU-US Privacy Shield". The documents can be found here: http://europa.eu/rapid/press-release_IP-16-433_en.htm
Included is a draft of a so-called "adequacy decision" envisaged by the Commission in order to acknowledge that the Privacy Shield establishes an adequate level of protection in the meaning of Article 25 of the EC Data Protection Directive as regards personal data transferred to organisations participant in this mechanism.
As announced on 3rd February 2016 the national Data Protection Authorities of the EU Member States (united in the Article 29 Working Party) will, as of now, analyse the documents in a timely manner in order to issue a statement regarding the envisaged "adequacy decision of the Commission". The Article 29 Working Party - after reviewing the documents - also plans to issue a statement about the adequacy of the level of data protection in the US in general.
We are to going to provide information about the further developments referring to this matter on a continuous basis.
Safe Harbor Update - EU-US Privacy Shield
On February 2, 2016 the EU Justice Commissioner Vera Jourová has announced the completion of negotiations of the European Commission with the US to a new data transfer mechanism called "EU-US Privacy Shield". This EU-US Privacy Shield should replace the Safe Harbor decision that has been declared invalid by the European Court of Justice (EUCJ) in October last year. It should allow EU companies to transfer personal data to the United States under the protection of the negotiated conditions.
Since the declaration of the EUCJ Judgment, the Article 29 Working Party* has analyzed its impact on data transfers to third countries in general and to those in the US in particular. However, the recent developments (EU-US Privacy Shield) must now be included into the preliminary results of this analysis. The conclusion of this review has been announced for mid to late April this year.
The BayLDA agrees with the Article 29 Working Party (the statement is available in English and German) that companies can continue - for the time being - data transfers to the US on existing data transfer mechanisms (in particular standard contractual clauses, Binding Corporate Rules). At the same time it is strongly advised that data transfers are no longer lawful on the sole basis of Safe Harbor. Companies that continue to transfer data only on the basis of Safe Harbor must expect sanctions.
* The Article 29 Working Party is composed of representatives of the data protection supervisory authorities of the EU member states, the European Data Protection Supervisor and a non-voting representative of the European Commission. It advises the European Commission and contributes to the uniform application of the provisions of the Data Protection Directive. It is independent and takes its decisions by majority vote.
US Safe Harbor Decision
On 6th of October 2015, the Court of Justice declared the Commission's US Safe Harbor Decision (2000/520/EC) is invalid. Therefore, data transferring from Europe to the US within this framework is no longer legal. Companies which have transferred personal data using the Safe Harbor regime are in urgent need for action.
The Art. 29 Group, every national Data Protection Authority from each EU Member State, issued a press statement following a special session on the 16th of October 2015. Thereby the Art. 29 Group has stated first consequences regarding this decision.
On the 26th of October 2015, the Conference of all German Federal and State Data Protection Officers published a statement as well regarding consequences of this decision.
The relevant documents are published here:
Initial Safe Harbor Decision (26. July 2000)
Current Decision by the Court of Justice (6. October 2015)
Statement by the Art. 29 Group (16. October 2015)
Statement by the Art. 29 Group - German version (16. October 2015)
Statement by the Conference of all German Federal
and State Data Protection Officers (26. October 2015)
Main links for more international data processing information