Queued up to self-certify
Internet giant Google has signed up to the Privacy Shield, a framework designed to facilitate the transfer of personal data between the EU and US by businesses.
Data storage and software provider Dropbox has also self-certified under the Privacy Shield.
The companies are the latest major US technology businesses to sign up to the scheme.
Google’s certification was registered on 22 September and Dropbox’s on 23 September.
Microsoft self-certified under the Privacy Shield in August. >Amazon also announced that it was in the process of self-certifying last month, but it appears that it has still to complete that process as its certification is not yet listed.
Since 1 August, US businesses have been able to self-certify their compliance with a set of privacy principles that make up part of the Privacy Shield.
Data protection law expert Cerys Wyn Davies of Pinsent Masons, the law firm behind Out-Law.com, previously explained that businesses that sign up to the Privacy Shield within the first two months of it becoming operational can do so without first having to update arrangements for sharing data with others. Wyn Davies said, though, that those businesses then only have a limited time in which to put new contracts in place.
The European Commission has set out its view that businesses that transfer personal data from the EU to the US in line with the Privacy Shield principles and self-certify under the framework will adhere to EU data protection law requirements regarding the transfer of personal data outside the European Economic Area (EEA).
However, Hamburg’s data protection authority has said it is considering raising a legal challenge against the European Commission’s endorsement of the Privacy Shield.
Earlier this summer the Article 29 Working Party, a committee representing national data protection authorities from across the EU, stated that it retains some concern about aspects of the Privacy Shield, including in respect of “mass and indiscriminate collection of personal data” by US authorities as well as on some “commercial aspects” of the framework.
It said it “regrets … the lack of specific rules on automated decisions and of a general right to object” and said it “also remains unclear how the Privacy Shield Principles shall apply to [data] processors”.
Despite its concerns, however, the Working Party indicated that the watchdogs will not challenge the legitimacy of data transfer arrangements under the new Privacy Shield during the first year of its operation.
Copyright © 2016, Out-Law.com
Out-Law.com is part of international law firm Pinsent Masons.