The EU-U.S. Privacy Shield Framework facing suspension. Is it broken for good?
Here are that facts surrounding the EU-U.S. Privacy Shield Framework which was designed by the U.S. Department of Commerce and European Commission.
The agreement was designed to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.
However, problems with the Privacy Shield have centred on the inability of European companies to obtain legal redress in the US if their data protection rights have been violated.
The result of this situation is, the European Parliament has passed a resolution calling on the European Commission to suspend the so-called Privacy Shield with the US if the US government does not improve its implementation of the data protection agreement by the 1st September.
A suspension of the agreement could limit the ability of companies to legally transfer data from the EU to the US.
The US has yet to appoint a permanent ombudsman to handle complaints or fill appointments to the Privacy and Civil Liberties Oversight Board. The European Data Protection Board, which upholds data protection regulation in the EU, has also called for US authorities to address these issues, following a recent meeting with the temporary ombudsman.
As a consequence, could more companies turn to the incredibly complex approach of Binding Corporate Rules whilst keeping in parallel, temporary Data Sharing Agreements and contracts between organisations?
BCRs are designed to allow multinational companies to transfer personal data from the European Economic Area (EEA) to their affiliates located outside of the EEA, in compliance with the 8th data protection principle and Article 25 of Directive 95/46/EC.
An organisation must submit an application through their appointed Regulatory Authority and must demonstrate that their BCRs put in place, provide adequate safeguards for protecting personal data throughout the organisation in line with the requirements of the Article 29 Working Party papers on Binding Corporate Rules.
When an organisation submits its application, they should use Working Party paper 133, which is an application form based on WP 108, hence why I said, the process is incredibly complex and time consuming.
A Binding Corporate Rules application can take up to a year, but I think it could be a better way forward for organisations with multinational interests with a need to share personal data.
In the Caretower GDPR team we have the knowledge and experience to offer advice related to such an application process.
As for the Privacy Shield Framework and its survival, let's just wait and see.
MIET, MBCS, Security & GDPR Specialist