This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies.
Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
The European Commission’s first review of the EU-U.S. Privacy Shield data transfer program provides valuable guidance for U.S. companies if they begin facing formal complaints about their transfers of EU personal information to the U.S., privacy professionals told Bloomberg Law.
The commission, the EU’s executive arm, gave the green light to the continuation of the Privacy Shield in an Oct. 18 report. But the absence of complaints to EU privacy regulators leaves U.S. corporate compliance untested when it comes to significant issues, such as the use of algorithms and other computer-automated decision-making, commission staff said in their work report released alongside the commission report.
Some U.S. companies have been contacted by individuals in the EU with questions about what happens to their data transferred to the U.S., but none of these contacts have triggered any of the various Privacy Shield complaint mechanisms, an EU official who asked not to be identified citing official policy told Bloomberg Law. Companies have reassured individuals about the treatment of their data, the official said. The official declined to provide details number of individual queries or name of companies involved.
But queries could turn into complaints as EU data subjects become more aware of their rights under the Privacy Shield, Brian Hengesbaugh, data protection partner at Baker & McKenzie LLP in Chicago, told Bloomberg Law. In particular, the new EU privacy regime—the General Data Protection Regulation (GDPR)—may heighten privacy awareness when it takes effect in May 2018, Hengesbaugh, a former special counsel to the U.S. Department of Commerce, which overseas the Privacy Shield in the U.S., said.
The Privacy Shield replaced the U.S.-EU Safe Harbor program, which the EU’s top court invalidated in 2015, in part over concerns about how EU citizens could enforce their privacy rights in the U.S. McKesson Corp., Oracle America Inc., Eli Lilly Co., and more than 2,500 other U.S. companies rely on the program to send data from the EU to the U.S.
The commission’s report “works as guidance for companies to verify their processes and procedures as part of their Privacy Shield compliance program,” Jorg Hladjk, European data protection of counsel at Jones Day in Brussels, told Bloomberg Law.
Automated decision making employed in the processing of personal data—such as the use of artificial intelligence, algorithms or other mechanisms to make decisions on how to categorize, share, or evaluate data—gets special attention under EU law and is referenced in the Privacy Shield report.
Under the forthcoming GDPR, individuals will have the right to object to decisions taken about them based solely on automated decision-making, such as a decision not to grant a potential buyer a loan if that decision is taken only on the basis of automated credit scoring.
The GDPR requires that companies that control the collection and use of personal data provide “a simple way” for individuals to exercise the right to object to automated decision-making and contest the decision, according to recent draft guidance from the Article 29 Working Party of privacy officials from the 28 EU countries. “Human intervention is a key element” in any review of automated decisions, according to the guidance. The Working Party has said it will issue its own review of the Privacy Shield in November.
The focus on automated decision in the Privacy Shield report shows that the commission engaged in a “very granular review” of how U.S. companies are carrying out their privacy obligations when using EU personal data, Hengesbaugh said. Companies should be mindful of what is emphasized in the report as insight into what will likely be heightened future enforcement, he said. The attention of the commission to automated processing may also lead to it at some point proposing changes to the Privacy Shield pact, he said.
In addition to becoming a source of Privacy Shield complaints, automated decision-making law violations under the GDPR could attract a fine of up to 20 million euros ($23.5 million) or 4 percent of the company’s worldwide revenues from EU privacy regulators.
The low level of Privacy Shield-related queries shows that most EU citizens “don’t even know their data is being processed outside Europe,” Agustin Reyna, senior legal officer with the European Consumer Organization, which represents 42 independent national consumer associations from 31 European countries, told Bloomberg BNA.
EU privacy regulators and commission officials are engaged in a GDPR educational push aimed at companies and individuals that includes details on cross-border data transfers.
Consumers in the EU “really ought to be aware that their data is flowing practically unimpeded across the Atlantic to the U.S.,” Simon Migliano, head of research at London-based Top10VPN.com, which reviews virtual private networks, told Bloomberg Law.
To contact the reporter on this story: Stephen Gardner in Brussels at correspondents@bna.com
To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com
The European Commission's EU-U.S. Privacy Shield report is available at http://src.bna.com/ttV,The commission staff work report s available at http://src.bna.com/tyX.
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to books@bna.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to research@bna.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)