Global Data & Privacy Update - April 2016

Author:Mr Mark Williamson and Isabel Ost
Profession:Clyde & Co

Welcome to the April Global Data & Privacy Update. This update is dedicated to covering all the latest legislative developments affecting the way data is managed and protected, as well as reporting on the most recent news in breaches and industry developments of the previous month.

The European Commission release EU-US Privacy Shield legal texts

On 29 February 2016, following two years of negotiations with the US Department of Commerce, the European Commission published the EU-US Privacy Shield legal texts along with a draft adequacy decision. It is intended to replace the Safe Harbour scheme, which was held to be invalid by the Court of Justice of the European Union (CJEU) in the Schrems decision in October 2015, by facilitating transatlantic personal data flows whilst ensuring adequate protection for EU citizens.

The Privacy Shield is a self-certification scheme by which US organisations commit to a set of seven privacy principles:

Notice principle: organisations must provide consumers with information relating to the processing of personal data. Also, an organisation's privacy policy must be publicly available. Choice principle: consumers may opt out if an organisation is sharing their personal data with third parties (other than an agent acting on behalf of the organisation) or where their personal data is used for a materially different purpose. Security principle: organisations creating, maintaining, using or disseminating personal data must take reasonable and appropriate security measures, taking into account the risks involved in the processing and the nature of the data. Data integrity and purpose limitation principle: personal data must be limited to its processing purpose and be reliable, accurate, complete and current.  Access principle: consumers have the right to obtain from an organisation confirmation of whether the organisation is processing personal data related to them and have access to the data within reasonable time. This right may only be restricted in limited circumstances. Consumers must also be able to correct, amend or delete personal data where it is inaccurate or has been processed in violation of the privacy principles. Accountability for onward transfer principle: any onward transfer of personal data from an organisation to controllers or processors can only take place: (i) for limited and specified purposes; (ii) on the basis of a contract; and (iii) only if the contract provides the same level of...

To continue reading