The “Privacy Shield” comes into force: more protection in the transfer of personal data from the European Union to the US

On 6 October 2015, the Court of Justice of the European Union (CJEU) annulled Commission Decision 2000/520/EC, on the suitability of the safe harbour principles, known as the “Safe Harbour Agreement”. Previously, it was considered that merely by means of accession to said Agreement, US companies receiving personal data from Europe complied with an appropriate level of protection, equivalent to the levels demanded by European personal data protection regulations. As a result, data could be freely transferred to said companies, provided that the individual whose data was being transferred granted consent.

Adequate level of protection

The CJEU deemed that the Commission had not checked whether the US guaranteed that the affected companies actually ensured a level of protection substantially equivalent to the level of protection in the European Union, which resulted in said Agreement being declared invalid.

The Privacy Shield, adopted by the Commission in agreement with the US, replaced the Safe Harbour Agreement, imposing far stricter obligations on US companies, with a view to ensuring the adequate protection of personal data transferred to the US. To ensure compliance, the Privacy Shield provides for a range of measures.

Measures to ensure compliance

Firstly, the US Department of Commerce will be responsible for performing periodic controls on US companies receiving personal data and that have signed up to the Privacy Shield, in order to ensure that they comply with the rules they have subscribed to. If they fail to comply with said rules, they may be subject to penalties and even removed from the list of companies covered by the Privacy Shield.

Secondly, access to personal data by the US administration will be subject to limitations, safeguards and clear supervision mechanisms. Data will no longer be supervised on a massive, indiscriminate basis.

Thirdly, any European citizen that believes his/her data has been unduly used will have access to a range of complaint options: (i) directly with the company in violation; (ii) before the national data protection authority in his/her country (which will collaborate with the Federal Trade Commission to ensure that the complaint is investigated and resolved); or (iii) through any of the free alternative dispute resolution mechanisms to which the company in violation has acceded. The company must specify, in its privacy policy, the dispute resolution mechanism that it has chosen and provide a link to the website of the organisation through which the company and the complainant may try to solve the complaint.

If the complaint fails to be resolved by any of the aforementioned procedures, the Privacy Shield foresees that an arbitration procedure may be initiated before the “Privacy Shield Panel”.