Newsletter | Volume 1

Issue I
Issue II
Issue III
Issue IV
Issue V
Issue VI
Issue VII
Issue VIII
Issue IX
Issue X
Issue XI
Issue XII
Issue XIII
Issue XIV
Issue XV
Issue XVI
Issue XVII
Issue XVIII
Issue XIX
Issue XX
Issue XXI
Issue XXII
Issue XXIII
Issue XXIV
Issue XXV
Issue XXVI
Issue XXVII

click here to

Subscribe to our newsletter



To Unsubscribe click here

EU Data Protection: Restoring Trust in Transatlantic Data Flows

In future transfer(s) of personal data from the EU to the United States under the current Safe Harbor scheme is now regarded as potentially unlawful. Therefore, the EU Commission has published a draft with detailed provisions for the new data protection framework for the transfer of personal data, now known as the E.U.-U.S. Privacy Shield.

When the new rules are formally adopted and expected to take effect in June 2016 the obligations, protections and preparation for its implementation are outlined in the standard for international data transfers under the European Data Protection Directive 95/46/EC.

It provides an indication of the likely structure and content of the replacement data framework. Several changes are required before the proposed Privacy Shield can be implemented. EU is likely to impose additional requirements rather than a watering down of the current proposals.

From Safe Harbor To Privacy Shield
To rely on the Privacy Shield; an organisation will be required to self-certify its adherence to seven core principles ("Privacy Principles"). The seven Privacy Principles under the Privacy Shield can be summarised as follows:
  1. Notice: Organisations must notify data subjects of thirteen separate matters, including the types of personal data collected, the purposes of the particular (personal) database and its use. The identity of all third parties to which personal data is or will be disclosed and the person's right to access, use, and have knowledge of the personal data.
  2. Choice: Organisations must offer each the possibility to opt out of disclosure of their personal information to third parties. If the usage of the personal data is materially different from the purposes for which it was originally collected or subsequently authorised, additional controls can be applied to the processing of sensitive personal data.
  3. Accountability for data transfer: The transfers of personal data to all third parties (organiser or processing agent) may only take place for limited and specified purposes. The affiliation is subject to a written agreement that the third party will afford equivalent protections to comply with the Privacy Principles.
  4. Security: Organisations must take reasonable and appropriate action and measures to ensure and protect personal data from loss, misuse and unauthorised access, disclosure, alteration, and destruction.
  5. Integrity and Limitation: Personal data must be limited to information that is relevant for processing the matter at hand. Management must take reasonable steps to ensure that information is consistent for its intended use. Processes and controls must ensure that accurate, complete and current personal data is retained).
  6. Access: Each person must have access to his personal data with the possibility to correct, amend or delete the information whenever it is inaccurate, processed or in violation of the Privacy Principles.
  7. Recourse, Enforcement, and Liability: Organisations must implement robust control mechanisms for assuring compliance with the Privacy Principles. Management must ensure that individuals' complaints and disputes are investigated and resolved without any cost to them. Controls to monitor and verify that representations and attestations contained within their privacy policies are accurate are established.

When preparing for implementation, review, or self-attestation of any overseas transfers of personal data, businesses must document that their data collection processes do not collect more personal data than is necessary and that the data and the database is tightly secured and protected.

Contact us if you need guidance on your Privacy Shield self-certification, updating policies and procedures, taking the right steps to ensure that the websites are up-to-date and include details of the new privacy policies, public disclosures under the new framework. We undertake a review and assessment of the Privacy Shield arrangements including the inevitable transfer of personal data to third parties.
Source; http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm

April 14, 2016. The EU Data Privacy Regulation was adopted, while the EU-U.S. Privacy Shield failed at the European Parliament. The new privacy regulation is due to come into force in the first quarter of 2018. The same consensus could not be reached for Article 29. As of now the parliament has rejected the EU Commission's proposal for EU-US Privacy Shield, which is intended to replace the annulled Safe Harbor scheme. More in the next newsletter.