The EU-U.S. Privacy Shield is the legal framework which enables personal data transfers from the EU to U.S. to companies that have adhered to the principles of the Privacy Shield (see our previous blogpost here). The U.S. Department of Commerce registers the companies that have undertaken the strict obligations imposed by the Privacy Shield via a self-certification mechanism. The aim of the Privacy Shield mechanism is to provide adequate protection for the personal data relating to persons in the EU which is transferred to and processed in the U.S. The Article 29 Working Party, overseeing the Privacy Shield mechanism on an EU-level, has recently adopted and published two documents of significance.
First, a complaint form to file commercial related complaints involving the EU-U.S. Privacy Shield framework (not relating to matters within the ombudsperson mechanism). This form is optional to use, but will be an easy way to provide the European national DPAs with the information necessary to handle the complaint. The complaint form can be found here.
Secondly, rules of procedure for the informal Panel of DPAs has been adopted. The informal Panel of DPAs handles complaints relating to the EU-U.S. Privacy Shield framework, and provides binding advice to U.S. organisations. The panel only has competency for organisations which have committed to cooperate with the DPAs or which process HR data collected in the context of an employment relationship The rules can be found here.
The Privacy Shield has been subject to criticism leading to legal challenges of the framework (Case T-670/16 and Case T-738/16). The practical application of the newly published documents and procedures will be essential going forward for the Privacy Shield mechanism as well as for transatlantic data transfers. The Article 29 Working Party will keep monitoring the Privacy Shield framework and the Working Party will send a letter to U.S. authorities concerning the latest U.S. legislative developments and their impact on the Privacy Shield (see here).