European Commission publishes preliminary text of the Privacy Shield agreement

By admin On Feb 29, 2016

Spread the love

The European Commission has made available the draft text of the Privacy Shield Agreement, which follows the Safe Harbor arrangement. The text contains new rules for companies and is intended to ensure that access to data by the US government remains limited.

Max Schrems, who in 2015 ensured that the Safe Harbor arrangement was denounced, is critical of the new Privacy Shield. For example, the European Commission claims that the US no longer collects information in bulk. However, Schrems points out that the regulation indicates six cases in which this collection is allowed. For example, when it comes to counter-terrorism, cybersecurity and international crime.

According to him, this goes directly against the requirements formulated by the European Court of Justice in the Safe Harbor ruling. Schrems therefore believes that the new rules are an attempt ‘to breathe new life into Safe Harbor’ and that the rules ‘lead directly back to Luxembourg’. By this he means that the new regulation will probably be brought before the European court in Luxembourg again soon.

Under the new rules, companies must agree to “privacy principles” through a self-certification process, which was also part of the old Safe Harbor arrangement. This process must be repeated annually and must ensure that companies comply with the applicable rules. The US Department of Commerce will check whether the privacy conditions of the companies correspond to the aforementioned principles. The Privacy Shield Agreement itself will also be reviewed annually.

One of these principles is the ‘choice principle’, whereby individuals have the option of opting out of certain forms of data processing. Under the Privacy Shield, it is only possible to use it if you want to prevent data from being provided to third parties or if the personal data is processed for an entirely different purpose than for which it was collected. schrems notice note that these two cases are only a small part of the possible editing operations.

Citizens have the opportunity to lodge a complaint with the companies that process their personal data. These companies then have 45 days to respond to such a complaint. In addition, there is a possibility to make free use of alternative methods of dispute resolution. If there is still no solution, it is possible to have the complaint resolved through the national privacy regulators. As a last resort, it is possible to submit a complaint to a Privacy Shield panel, which will then issue a binding decision. This panel consists of one or three independent arbitrators, who can be chosen by the parties from a group of at least twenty persons.

A striking point that Schrems mentions is that under the new rules, national privacy regulators can decide that a company must stop the export of data. They may do so if they believe that there is no adequate level of protection for personal data.

In the area of US national security, clear boundaries and restrictions have been placed on access to information by investigative and security services. Citizens can turn to an ombudsman in the event of complaints or conflicts. It then checks whether the necessary US legal safeguards have been observed and ensures that appropriate steps are taken if this is not the case.

Representatives of the EU Member States and the consultative body of national privacy regulators, the Article 29 Working Group, will be scrutinizing the draft text of the Privacy Shield Agreement in the near future. Then the final text is determined.