A higher level of protection of personal data is given to individuals in the European Union than in the United States. This causes a difficulty where European companies wish to transfer individual’s data outside of the EU. They are obliged to ensure that the recipient complies with EU data protection law in respect of this data. How can an Irish company or organisation ensure that such safeguards are being met by recipients outside of the EU?
The Safe Harbour agreement which had facilitated the transfer of data from the EU to the US was invalidated last year. It did not meet the privacy requirements necessary to facilitate the protection of EU citizen’s personal data.
The ruling on the invalidity of Safe Harbour has led to the adoption of the Privacy Shield Framework between the European Commission and the U.S. Department of Commerce.
This effectively allows US companies to join the Privacy Shield Framework and self-certify on an annual basis that it will comply with the Privacy Shield requirements. Such US Companies are in effect confirming that they will respect data protection rights conferred on EU citizens and offer this higher level of protection.
US organisations will self-certify to the Department of Commerce via the website www.privacyshield.gov and commit to comply with the requirements of the Framework. Once this commitment is made, it is enforceable under US law. Joining the Framework is voluntary but it brings obvious advantages to such organisations in terms of receiving EU person data. It confirms that such organisations comply with the privacy requirements to transfer data outside of the EU that is a requirement of the EU Data Protection Directive, thus allowing necessary business involving data transfer to take place.
The Department of Commerce can conduct regular reviews to ensure compliance by participating companies. EU individuals who consider that their data protection rights have been breached, can bring a complaint against the relevant US organisation. Complaints can even be initiated with their own Data Protection Authority. An independent ombudsman in the US will deal with any national security disputes. An arbitration mechanism will deal with unresolved complaints.
Technology and other companies have welcomed the agreement to facilitate trans-Atlantic data transfers that are necessary for their businesses.
To check if an organization is a Privacy Shield Participant, there is a Privacy Shield List on the privacy shield website.
For more information please contact Gríana O’Kelly, Partner in our Corporate and Commercial Department.