EU-US Privacy Shield to once again ensure safe harbours for data transfers


The annulled Safe Harbour agreement puts research collaborations in a peculiar position.  Here, Jane Reichel, Professor of Administrative Law, gives an update on the negotiations.

Jane ReichelThe EU Commission recently presented a draft “adequacy-decision” with results of the negotiations with the USA on safe data transfer across the Atlantic, the EU-US Privacy Shield. This is a follow up on the previous, now annulled, Safe Harbour agreement. The decision includes the privacy principles that US organisations will need to apply in order to comply with EU law. It is drafted as a general decision, but is mainly directed to commercial organisations.

The EU-US Privacy Shield is based on self-certification, where US organisations who have commited to the privacy principles are included on a list maintained by the US Department of Commerce. A yearly re-evaluation of the committment is also foreseen.  The Privacy Shield applies to EU data being processed in the USA: Before transfer, the EU controller must ensure that there is a legal basis allowing for the data to be sent, for example an informed consent. The Privacy Principles consist of 13 Framework Principles corresponding to basic data principles in the Data Protection Directive and Supplemental Principles, including specifications and exceptions to framework principles and informational and institutional rules for the US data controllers to abide by. These principles can be found in annex II to the decision.

Among the Framework Principles are a notice principle and a choice principle. The first requires organisations to provide information to data subjects on key elements relating to processing of personal data. The choice principle means data subjects can choose to opt out if their personal data is disclosed to third parties. For sensitive data, organizations must obtain new consent (opt in) before disclosing such information to a third party or using it for new purposes. The Supplementary Principles offers some exceptions in relation to pharmaceutical and medical products (Article 14).  A certain leeway is given regarding consent for future use. As long as the notice to the data subject has included an explanation that personal data may be used in future, yet unanticipated, medical and pharmaceutical research, data may be used for a new scientific research activity.  However, there are clear limits to how broad the consent may be. On the other hand, key-coded data could, under certain circumstances, be considered not to be personal data (Article 14 g), meaning that the Privacy Shield Principles do not have to be upheld at all.

The next step in the procedure is for the EU Article 29 Working Group to state an opinion whether the draft decision can be considered to be in compliance with fundamental EU law on data privacy rights. 

By Jane Reichel

More biobank related news