On 29 February 2016, the European Commission announced more details about the content of the EU-US Privacy Shield which was announced on 2 February 2016.
Earlier on, we informed you about the EU-US Privacy Shield which needs to fill the gap following the annulment of the Safe Harbour Framework in the Schrems case of the Court of Justice of 6 October 2015.
In the meantime, on 3 February 2016, WP29 (the Article 29 Working Party) released a statement in which it already underlined the four guarantees which, in its view, all intelligence activities should satisfy:
- Processing should be based on clear, precise and accessible rules. This means that anyone who is reasonably informed should be able to foresee what might happen to her/his data where they are transferred outside the European Economic Area.
- Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated: a balance needs to be found between the objective for which the data are collected and accessed (generally national security) on the one hand and the rights of the individual on the other hand.
- An independent oversight mechanism should exist which is both effective and impartial. This can either be a judge or another independent body, as long as it has sufficient ability to carry out the necessary checks.
- Effective remedies need to be available to the individual: anyone should have the right to defend her/his rights before an independent body.
On 29 February 2016, the European Commission announced the content of the EU-US Privacy Shield in a document covering more than 120 pages.
The documentation published by the European Commission consists of:
- a draft adequacy decision by the European Commission in which the principle is accepted that the United States provides an adequate level of protection within the meaning of Article 25(2) of Directive 95/46/EC for the transfer of personal data to organisations in the United States that are self-certified under the EU-US Privacy Shield. All self-certified organisations are included on a Privacy Shield List;
- a document containing the EU-US Privacy Shield principles (Annex II); and
- several declarations and promises by US officials (Annexes I and III–VII).
The text of the EU-US Privacy Shield has not yet been formally adopted. The text will be reviewed in the coming months by the Member States and by various agencies including WP29, which will look into the Shield on the basis of the four guarantees it has set out.
It is expected that the whole process will be completed by the end of June 2016.