This month, the Digital Law Department of Belzuz Abogados S.L.P. – Sucursal em Portugal analyzes the “EU-US Privacy Shield”, an instrument aiming to ensure the protection of personal data within the context of transatlantic data transfers
On October 6, 2015, in court case number C-362/14, “Maximillian Schrems / Data Protection Commissioner”, the European Court of Justice declared, with immediate effects, the invalidity of the European Commission Decision 2000/520/CE, dated June 26, 2000 (commonly known as “Safe Harbor”) which allowed and regulated transatlantic data transfers, considering the level of protection granted to such data within the US was neither appropriate nor similar to the European model.
A new system had therefore to be implemented in order to facilitate transatlantic data transfers, knowingly relevant to international trade.
Thereby following the political agreement settled between the European Commission and the US Government, the Executive Decision (EU) 2016/1250 was adopted by the Commission on July 12, 2016 – the “EU-US Privacy Shield”.
Through this system, the American organizations receiving personal data from the EU can self-certify their adhesion to a set of privacy principles before the American Department of Commerce which they undertake to comply with, namely by adapting their privacy protection policies in accordance. Such self-certification must be annually renewed.
The main issues to be considered under this new regulatory framework are as follows:
i) The Department of Commerce provides the general public, in its webpage www.privacyshield.gov, a list of the American organizations that have self-certified its adhesion to the privacy principles, which is annually updated.
ii) The Department of Commerce regularly verifies the compliance by the self-certified organizations with the “EU-US Privacy Shield”. Violation of such normative may cause the enforcement of sanctions as well as the removal of such entities from the public list of self-certified organizations and furthermore the obligation to return the personal data transferred to the European sending organizations or even to delete it.
iii) The access by US public authorities to personal data received from EU (even if within the scope of coercive measures or for purposes of national security) is limited to that strictly necessary to achieve the legitimate purpose of the transfer and is subject to supervision in order to ensure an efficient protection against public interference.
iv) With regard to the protection granted to the rights of data subjects whose personal data has been transferred:
• the organizations shall, at the data subjects’ request and without any justification needed, give them information regarding their data processing;
• data subjects are entitled to correct, amend or delete their own personal information;
• the organizations must take reasonable and adequate safety precautions in concerning data processing;
• personal data processing shall be limited according to its purpose and such data must be reliable, accurate, complete and updated;
• recourse mechanisms are envisaged to protect data subjects against violation of the privacy principles: either within the organization in accordance with the procedures implemented, through free mechanisms of alternative dispute resolution or, ultimately, via an independent mediation.
Belzuz Abogados S.L.P. – Sucursal em Portugal is dully qualified to provide legal assistance in relation to data protection matters and particularly to those corporations intending to ensure the compliance of European and internal normative applicable to data transfer.
Belzuz Abogados SLP
La presente publicación contiene información de carácter general sin que constituya opinión profesional ni asesoría jurídica. © Belzuz Abogados, S.L.P., quedan reservados todos los derechos. Se prohíbe la explotación, reproducción, distribución, comunicación pública y transformación total o parcial, de esta obra, sin autorización escrita de Belzuz Abogados, S.L.P.