When the Safe Harbor agreement, which for more than a decade illustrated the legitimacy of transferring personal data to the USA, was annulled with immediate effect by decision of the ECJ in October 2015, this left a legal vacuum that had to be filled in the months that followed.
In February of this year, the EU Commission presented the draft of the successor document it calls the EU-US Privacy Shield, which was finally adopted in its final version on July 12, 2016. Legally speaking, the agreement is nothing more than an adequacy decision under Article 25 (6) of the Data Protection Directive. On this basis, the transfer of personal data to the US is possible, since it is assumed that there will be an “appropriate level of data protection” comparable to that in the EU.
Monitoring by US intelligence agencies still possible
When the first draft of the Data Protection Shield was published, strong criticism was voiced, especially from data protection advocates. The agreement was then revised and some, but not all, of the aspects that had been criticized were removed. The accusation that US authorities can use the data transferred for non-targeted mass monitoring even when the Privacy Shield is in use remains valid. Another point is that EU citizens continue to have hardly any rights when it comes to fighting the illegal processing of their data by US companies. The United States now merely promises that access to the data will only take place within a narrow framework.
Most recently, sharp criticism has been expressed on the principle of self-certification, a concept that was already known with the Safe Harbor, since the USA has not set up any control bodies in companies to comply with the requirements for certification. Thus, the well-founded concern still exists that the Privacy Shield is merely another paper tiger.
US companies have been able to certify themselves according to the Privacy Shields requirements already since August 1, 2016. This has to be renewed annually by contacting the US Department of Commerce, however.
Thus, there is now a list of companies that have already certified themselves according to the specifications, as was the case before with the Safe Harbor agreement. This also includes information on the respective contact persons in the event of questions or complaints concerning data processing within the certified company.
What does the Privacy Shield mean for companies?
Companies that transfer data to the US can base these transfers on the Privacy Shield since August 1, 2016, in addition to the fact that the transfer itself must be carried out for a permissible reason. The prerequisite for this is the self-certification of the data importer in the US by contacting the US Department of Commerce. In terms of data protection, this creates a “reasonable level of privacy” as defined by section 4b para. 2 BDSG.
At this point, however, it should be noted that although the certification allows for a short-term legitimation of international data transfers in accordance with the Privacy Shield, other instruments should be used to ensure an adequate level of data protection in the medium to long term, such as EU standard contract clauses. Due to the massive criticism from many sides, including both data protection authorities and supervisory authorities, it is now already foreseeable that the successor to the Safe Harbor Agreement will also land before the European Court of Justice and that it will probably be overthrown by it. Thus, it is also advisable to consider other possible ways of justifying the transatlantic exchange of personal data besides the Data Protection Shield.