EU-US Privacy Shield

from Wikipedia, the free encyclopedia
European Union flag

Implementing Decision (EU) 2016/1250

Title: Commission Implementing Decision (EU) 2016/1250 of July 12, 2016 in accordance with Directive 95/46 / EC of the European Parliament and of the Council on the adequacy of the protection offered by the EU-US Privacy Shield
Designation:
(not official) 		EU-US Privacy Shield
Scope: EEA
Legal matter: Data protection law
Basis: Directive 95/46 / EC , in particular Article 25 paragraph 6
Reference: OJ L 207 of 1.8.2016, pp. 1–112
Full text Consolidated version (not official)
basic version
Regulation was declared null and void.
Please note the information on the current version of legal acts of the European Union !

The EU-US Privacy Shield (also EU-US data protection shield ) is an informal agreement in the field of data protection law , the 2015 to 2016 between the European Union and the United States of America has been negotiated. It consists of a number of assurances from the US federal government and an adequacy decision by the EU Commission. On July 12, 2016, the Commission decided that the requirements of the data protection shield correspond to the data protection level of the European Union; since then the convention can be applied.

The agreement regulates the protection of personal data that is transferred from a member state of the European Union to the USA. It became necessary after the European Court of Justice (ECJ) in October 2015 declared the European Commission's Safe Harbor decision, which had previously been applied, to be invalid.

On July 16, 2020, the ECJ also declared the EU Commission's decision on the adequacy of the EU-US Privacy Shield to be invalid through the Schrems II ruling.

history

The European Commission announced the agreement with the USA on the EU-US Privacy Shield on February 2, 2016.

As a prerequisite, US President Barack Obama signed the Judicial Redress Act on February 25, 2016, which gives EU citizens an opportunity to take legal action in the US who allege a breach of data protection. Unlike American citizens, according to the assessment of the former Federal Data Protection Commissioner Peter Schaar , one must first try to enforce one's rights through administrative channels.

The agreement and the accompanying European law resolutions and regulations were published on February 29, 2016 and have only been changed insignificantly since then. The wording of the texts was announced when the regulations were presented.

At the beginning of July 2016, most EU member states agreed to the data protection shield. Austria, Croatia, Slovenia and Bulgaria abstained. The Federal Data Protection Commissioner Andrea Voßhoff stated that “especially in the so-called commercial part”, the commission had previously “taken into account many of the data protection officers' requests” and changed the originally submitted draft. However, there should be no further opportunity for data protection officers to comment.

In the transitional period, American companies orientated themselves on the standard contractual clauses according to Article 26, Paragraph 2 of the EU Data Protection Directive of 1995, which EU data protectors had once approved. The European Commission referred to this approach.

The Commission took the adequacy decision that "the guarantees for transfers of data based on the new EU-US Privacy Shield are in line with data protection standards in the EU" after hearing the Article 29 Working Party on July 12, 2016 and the Forwarded to EU member states.

On September 16, 2016, the Irish organization Digital Rights Ireland filed an action for annulment under Art. 263 TFEU with the General Court of the European Union (CFI) against the European Commission's adequacy decision on the EU-US data protection shield. Network activists from La Quadrature du Net and the French Data Network FDN and FFDN also initiated corresponding proceedings.

Therefore, the EU Justice and Consumer Commissioner Didier Reynders stated in letter EN E-001120/2020 in May 2020 : “The Commission is a party in the two proceedings pending before the European Court of Justice that are relevant to the Privacy Shield (T-738 -16, La Quadrature du Net and C-311/18, Schrems II). Although the Commission cannot predict the outcome of the litigation, it is examining possible scenarios ... In parallel, the Commission is continuing its work on alternative instruments for the international exchange of personal data; this also includes the review of existing standard contractual clauses. ”Before the hearing on its validity before the European Court of Justice (ECJ) on July 16, 2020, the EU Advocate General expressed considerable doubts about the validity of the EU-US Privacy Shield Agreement.

After the move to the Trump administration, EU Justice Commissioner Věra Jourová declared in March 2017 that she would override the agreements if the federal government of the USA "changed something 'significantly'". The “unpredictability” of the new government is “a problem”. In its first report on experiences with the agreement in October 2017, it stated that the procedure “works” and “continues to offer an adequate level of data protection”. She recommended "improvements", including educating EU citizens about their privacy shield rights. She also called for the ombudsman to be appointed as soon as possible. The chief executive of the digital society non-governmental organization , Alexander Sander, contradicted the opinion of the commission. Legal protection for EU citizens is inadequate.

By judgment of July 16, 2020 (Case C-311/18), the European Court of Justice declared the Commission's Implementing Decision (EU) 2016/1250 of July 12, 2016 under Directive 95/46 / EC of the European Parliament and of the Council on Appropriateness of the protection offered by the EU-US Privacy Shield to be invalid. Those responsible under data protection law can no longer rely on the appropriateness of the data protection level in accordance with the EU-US Privacy Shield for data transfers to persons responsible or contract processors based in the United States. Art. 45 GDPR.

Regulations

The Privacy Shield is the end of February 2016, according to published version of a package of regulations: the agreement itself, an "adequacy decision" of the European Commission and other texts that are to be incorporated into the European legislative process. These include the data protection principles that American companies must comply with, as well as written assurances from the US federal government, which are to be published in the US federal register . These representations contained "guarantees and restrictions on data access by authorities".

As was the case with the Safe Harbor list before, American companies will again register themselves in a corresponding list and commit themselves to comply with the relevant obligations.

The American side had assured the European Commission to take effective supervisory measures against companies that were subject to sanctions, up to and including their removal from the list of beneficiary companies. The transfer of data to third companies is now tied to stricter requirements.

The EU Commission also stated that the American government had given the EU a written assurance through the office of the Director of the Intelligence Service that it would subject access to personal data of EU citizens to "clear restrictions, guarantees and supervisory mechanisms" for reasons of national security. EU citizens could turn to an ombudsman at the US State Department to investigate violations and check whether a company has acted unlawfully. All written information and statements from the ombudsman would be published in the US federal register.

EU citizens are also granted claims against American companies. The companies would have to investigate complaints within 45 days. In the event of a dispute, there is a procedure for alternative dispute resolution . In addition, citizens can also turn to their national data protection authorities, who would investigate complaints together with the Federal Trade Commission . Companies that process personal data must comply with the recommendations of the national data protection authorities of the EU member states; other companies can undertake to do this voluntarily.

The European Commission would produce an annual report on the experience with the Privacy Shield and forward it to the European Parliament and the European Council . The review will be carried out by the Commission in conjunction with the US Department of Commerce. "Experts from the US intelligence services and the European data protection authorities" would be involved, as would non-governmental organizations and "other stakeholders" who would be invited to a data protection summit.

criticism

The agreement - the American press called it a "deal" - was subject to considerable criticism from the start. Sun pointed Max Schrems , the plaintiff in the main proceedings, by the Safe Harbor scheme was brought down, even before the publication of the details suggest that assurances given by the US federal government shortly before the United States presidential election, 2016 " in no way constitutes a sufficient guarantee of fundamental rights for hundreds of millions of Europeans ”. In July 2016 he specified his criticism in an interview on Deutschlandfunk to the effect that after the entry into force of the decision on the EU-US data protection shield there would be no significantly different legal situation than before under the validity of Safe Harbor: “It says exactly the same inside, US law takes precedence, if US law says the data may be intercepted, then the data may be intercepted. ... If you ... look at the documents ... it says explicitly that there is definitely still mass surveillance for six cases. And then it is also the case that this definition of what mass surveillance actually is is a bit bizarre among the Americans. ”Together with the Green MEP Jan Philipp Albrecht , Schrems referred to the presentation of the Privacy Shield on July 12, 2016 at a press conference in Brussels position against the agreement.

After reviewing the published documents, the Privacy Shield was also rejected by 27 civil rights organizations and data protectionists. Above all, it was criticized that the agreement was not legally binding because it was not a contract, but merely a collection of letters. Mass surveillance measures by the American government also remained permissible. In particular, they are not subject to a proportionality test, which violates European law. In addition, those affected would still not be able to effectively pursue their rights because they did not find out about the surveillance. That is why the ombudsman does not help them either, who also does not have the necessary powers to do so.

The Article 29 Data Protection Working Party reported concerns about the Privacy Shield in a statement on April 13, 2016 . The data protectionists stated that there was still comprehensive and unreasonable surveillance of EU citizens. Furthermore, the data retention principle was not recognized therein. The designated ombudsman - as an official of the American State Department - lacks the necessary independence.

On May 24, 2016, the European Parliament also called on the Commission by 501 votes to 119 in a joint motion for a resolution to remedy the known shortcomings of the Privacy Shield .

After the newly elected President Donald Trump signed an order on January 25, 2017, according to which the applicability of the Privacy Act was excluded for persons who are not US citizens or not permanent legal residents of the USA, Peter Schaar has doubts, whether an “adequate level of data protection” for EU citizens can still be assumed.

The European Parliament adopted a critical resolution on the Privacy Shield on April 6, 2017 . The majority in parliament identified considerable deficits in data protection and considers the surveillance practice in the USA to be incompatible with EU law.

At the first meeting of the European Data Protection Board in January 2019, it was criticized that the position of ombudsman had still not been permanently filled; in addition, there is a lack of disclosure of its powers to the security authorities. The Federal Data Protection Commissioner doubted that "the ombudsperson mechanism in practice provides the necessary level of legal protection" and called for a remedy.

Further adequacy decisions by the EU Commission

In other cases, the European Commission has decided that other countries have a level of data protection comparable to that of the EU. By May 2019 there were twelve adequacy decisions in relation to traffic with Andorra , Argentina , the British crown holdings Guernsey , Isle of Man and Jersey , the Danish archipelago Faroe Islands , Israel , Japan , Canada (only for commercial organizations), New Zealand , the Switzerland and Uruguay .

An adequacy resolution has been negotiated with South Korea since at least 2018 (as of July 2020).

literature

  • Robert Klecha: Data transfers to the USA after the Safe Harbor ruling by the ECJ. An investigation with special consideration of the EU-US Privacy Shield . In: Series of publications on data protection and freedom of information . No. 22 . Publishing house Dr. Kovač, Hamburg 2018, ISBN 978-3-339-10480-9 .
  • Network data protection expertise (ed.): Privacy Shield - Presentation and legal evaluation . March 7, 2016. Retrieved March 28, 2016.

Web links

Individual evidence

  1. a b c d e f g h i European Commission presents EU-US data protection shield: binding guarantees to restore trust in transatlantic data traffic. In: europa.eu. February 29, 2016. Retrieved February 29, 2016 .
  2. a b Christiane Schulzki-Haddouti: EU-US data transfer: EU member states agree to the Privacy Shield. In: heise online. July 8, 2016, accessed July 10, 2016 .
  3. a b Commission Implementing Decision (EU) 2016/1250 of July 12, 2016 in accordance with Directive 95/46 / EC of the European Parliament and of the Council on the adequacy of the protection offered by the EU-US Privacy Shield (announced under file number C ( 2016) 4176) (Text with EEA relevance) , accessed on October 28, 2016 Official Journal of the EU , OJ. L 207 of August 1, 2016, pp. 1–112.
  4. a b c European Commission launches EU-US data protection shield: better protection for transatlantic data traffic. In: europa.eu. July 12, 2016. Retrieved July 12, 2016 .
  5. Martin Holland: Privacy Shield: Controversial rules for data transfers to the USA come into force. In: heise online. July 12, 2016. Retrieved July 12, 2016 .
  6. ^ Judgment in Case C-362/14 - Maximillian Schrems v Data Protection Commissioner , accessed February 29, 2016
  7. Stefan Krempl: ECJ overturns EU-US data protection agreement "Privacy Shield". In: Heise Online Newsticker. July 16, 2020, accessed July 16, 2020 .
  8. a b Agreement between EU and USA: Safe Harbor is now called "EU-US Privacy Shield". In: heise online. February 2, 2016, accessed February 29, 2016 .
  9. ↑ The Commission and the United States agree on a new framework for transatlantic data transfers: the EU-US Privacy Shield. In: europa.eu. February 2, 2016, accessed February 29, 2016 .
  10. Stefan Krempl: Data protection: EU citizens theoretically have the possibility of legal action in the USA. In: heise online. February 25, 2016. Retrieved February 29, 2016 .
  11. Peter Schaar: Is the “Privacy Shield” finally a safe haven? In: heise online. February 2, 2016, accessed February 29, 2016 .
  12. Stefan Krempl: Privacy Shield: EU Commission publishes text for holey data protection shield. In: heise online. February 29, 2016. Retrieved February 29, 2016 .
  13. Ingo Dachwitz: Privacy Shield: New basis for transatlantic data traffic is now - still. July 12, 2016. Retrieved July 13, 2016 .
  14. Hauke Gierow: Safe Harbor judgment: Google and Microsoft are looking for new ways of data transfer. In: www.golem.de. October 16, 2015, accessed June 19, 2016 .
  15. European Commission - PRESS RELEASES - Press release - First Vice-President Timmermans and Commissioner Jourová's press conference on Safe Harbor following the Court ruling in case C-362/14 (Schrems). In: europa.eu. Retrieved June 19, 2016 .
  16. Digital Rights Ireland ./. Commission, Case T-670/16. In: curia.europa.eu. Retrieved October 28, 2016 .
  17. Privacy group launches legal challenge against EU-US data pact . In: Reuters . October 27, 2016 ( reuters.com [accessed October 28, 2016]).
  18. Marc Rees: Le Privacy Shield attaqué en Europe par la Quadrature, FDN et FFDN . October 31, 2016 ( nextinpact.com [accessed November 3, 2016]).
  19. Christiane Schulzki-Haddouti: Privacy Shield: EU Justice Commissioner Jourová threatens to be dismissed. In: Heise Online. March 3, 2017, accessed March 5, 2017 .
  20. EU-US Privacy Shield: First review shows it works but implementation can be improved. In: press release. European Commission, October 18, 2017, accessed October 20, 2017 .
  21. Ingo Dachwitz: First annual review: EU Commission waves the Privacy Shield through. In: netzpolitik.org. October 18, 2017. Retrieved October 20, 2017 .
  22. ECJ (Grand Chamber): Judgment in case C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems. July 16, 2020, accessed July 16, 2020 .
  23. European Commission: EU-US Privacy Shield: Frequently Asked Questions. In: europa.eu. February 29, 2016. Retrieved February 29, 2016 .
  24. Mark Scott: Europe Approves New Trans-Atlantic Data Transfer Deal . In: The New York Times . July 12, 2016, ISSN  0362-4331 ( nytimes.com [accessed July 13, 2016]).
  25. Data protection agreement: "It also says: US law has priority". Maximilian Schrems in conversation with Mario Dobovisek. In: Deutschlandfunk. July 5, 2016, accessed July 10, 2016 .
  26. Markus Beckedahl: Privacy Shield: "It also says that US law has priority". In: netzpolitik.org. July 5, 2016, accessed July 10, 2016 .
  27. Jan Weisensee: Privacy Shield: So go back to court? In: netzpolitik.org. July 12, 2016. Retrieved July 12, 2016 .
  28. Transatlantic coalition of civil society groups: Privacy Shield is not enough - renegotiation is needed. In: EDRi. March 16, 2016, accessed March 28, 2016 .
  29. Privacy Shield - presentation and legal evaluation. Network data protection expertise, March 7, 2016, accessed on March 28, 2016 .
  30. Civil rights activists and data protectionists reject Safe Harbor successors. In: Haufe.de News, Compliance. March 24, 2016. Retrieved March 28, 2016 .
  31. Article 29 Data Protection Working Party : Opinion 01/2016 on the EU – US Privacy Shield draft adequacy decision. April 13, 2016, accessed April 14, 2016 .
  32. Axel Spies: USA-EU Privacy Shield: the data protection authorities are not entirely in agreement. In: blog.beck.de. Retrieved April 13, 2016 .
  33. Joint motion for a resolution on transatlantic data transmission - RC-B8-0623 / 2016. In: www.europarl.europa.eu. Retrieved June 19, 2016 .
  34. EU Parliament: Privacy Shield must be revised. In: derStandard.at. Retrieved June 19, 2016 .
  35. ^ Executive Order: Enhancing Public Safety in the Interior of the United States . In: whitehouse.gov . January 25, 2017 ( whitehouse.gov [accessed January 28, 2017]).
  36. Peter Schaar: Analysis: America is walling itself in - Privacy Shield before the end? January 28, 2017. Retrieved January 28, 2017 .
  37. European Parliament (ed.): Data Privacy Shield: MEPs alarmed at undermining of privacy safeguards in the US . April 6, 2017 (English, europa.eu [accessed on May 28, 2017]).
  38. First meeting of the European Data Protection Officer in 2019. Federal Commissioner for Data Protection and Freedom of Information, January 23, 2019, accessed on January 23, 2019 (press release 1/2019).
  39. Adequacy of the protection of personal data in non-EU countries. In: EU Commission. European Union, accessed on July 18, 2020 (English, with further references).
  40. ^ David Meyer: South Korea's EU adequacy decision rests on new legislative proposals. In: IAPP. November 27, 2018, accessed July 18, 2020 .