The relationship between privacy and personal data processing has always been one of the most complex issues in cloud computing . Th...
The relationship between privacy and personal data processing has always been one of the most complex issues in cloud computing.
The evolution of the subject and related data-sharing issues between Europe and the United States covered a historic period of nearly forty years, starting from the so-called 1980 OECD Guidelines, to the latest Privacy Shield of 2016, now being studied and analyzed by European and national authorities.
Privacy Shield
Introduced last year following tight negotiations between the US and the European Commission, Privacy Shield has replaced the Safe Harbor Agreement, which was declared illegal by the European Court of Justice in 2015. This is a mechanism that allows the migration of personal data from a continent to the other much more secure than the previous one and which contains, and this is one of the most peculiar novelties, the first assumptions of commitment by the US Administration about their access to data.
There are several elements underlying the "privacy shield". First, further checks were carried out by the US Department of Commerce (DoC) in concert with experts from the US Security Services and the European Data Protection Authorities, which may in the worst case depreciation from the list of affiliated companies.
A monitoring phase has been introduced with the European Commission, which will discuss a public report on the results achieved before Parliament and the Council. As was said, for the first time, strict restrictions on access to personal data by US public authorities were regulated. The latter have ensured that accesses will be subject to control mechanisms with appropriate limits and guarantees and that block data collection will be provided only in special cases. Therefore, indiscriminate and massive access will no longer be allowed, as it might have happened earlier.
There are several elements underlying the "privacy shield". First, further checks were carried out by the US Department of Commerce (DoC) in concert with experts from the US Security Services and the European Data Protection Authorities, which may in the worst case depreciation from the list of affiliated companies.
A monitoring phase has been introduced with the European Commission, which will discuss a public report on the results achieved before Parliament and the Council. As was said, for the first time, strict restrictions on access to personal data by US public authorities were regulated. The latter have ensured that accesses will be subject to control mechanisms with appropriate limits and guarantees and that block data collection will be provided only in special cases. Therefore, indiscriminate and massive access will no longer be allowed, as it might have happened earlier.
The instruments of legal protection
Of utmost importance are the tools introduced to protect the subject who thinks he hurt his individual right. Citizens can now turn directly to the company, which will have to respond to complaints within forty-five days.
Alternatively, an Alternative Dispute Settlement Body (ADR) may be triggered by activating a completely free procedure, or contact the Data Protection Authority to examine the complaint with the Department of Commerce and the US Federal Trade Commission.
In any case, there is always a possibility to use the individual National Data Protection Authorities. If even the Federal Trade Commission's intervention can not be resolved, you can turn to the Privacy Shield Panel for an arbitration procedure or, in more specific cases, to initiate a mediation procedure. Lastly, the figure of the Ombudsperson (a sort of Ombudsman) is introduced, an autonomous subject whose task is to receive and evaluate any exhibitions presented by the concerned directors.
Alternatively, an Alternative Dispute Settlement Body (ADR) may be triggered by activating a completely free procedure, or contact the Data Protection Authority to examine the complaint with the Department of Commerce and the US Federal Trade Commission.
In any case, there is always a possibility to use the individual National Data Protection Authorities. If even the Federal Trade Commission's intervention can not be resolved, you can turn to the Privacy Shield Panel for an arbitration procedure or, in more specific cases, to initiate a mediation procedure. Lastly, the figure of the Ombudsperson (a sort of Ombudsman) is introduced, an autonomous subject whose task is to receive and evaluate any exhibitions presented by the concerned directors.
The first annual report: Privacy Shield between optimism and expectations
The first review of Privacy Shield, which took place in mid-October, was a success far beyond expectations. Control work focused essentially on checking the mechanisms and procedures introduced with the shield.
Satisfaction among jobseekers was expressed, with regard to the management of registration procedures by companies, with over 2,400 registered companies. In addition, however, the review meeting served the Commission to list some critical features of the current system with a view to improving in the next twelve months.
Here, briefly, some of the criticalities emerged. First, businesses can not refer to their allegedly under the Privacy Shield certification before it has actually been granted by the United States Department of Commerce.
Secondly, the DoC should carry out constant checks against those companies who falsely declare that they have the certification in question or, more simply, have started the procedure but have not voluntarily completed it.
The Department should therefore continuously monitor the compliance of US organizations with the principles of the Privacy Shield and appoint a permanent Ombudsperson (while to date it is only temporary). Lastly, the Commission has called for closer ties between the US authorities and the Commission in order to monitor developments in the functioning of the Privacy Shield.
Satisfaction among jobseekers was expressed, with regard to the management of registration procedures by companies, with over 2,400 registered companies. In addition, however, the review meeting served the Commission to list some critical features of the current system with a view to improving in the next twelve months.
Here, briefly, some of the criticalities emerged. First, businesses can not refer to their allegedly under the Privacy Shield certification before it has actually been granted by the United States Department of Commerce.
Secondly, the DoC should carry out constant checks against those companies who falsely declare that they have the certification in question or, more simply, have started the procedure but have not voluntarily completed it.
The Department should therefore continuously monitor the compliance of US organizations with the principles of the Privacy Shield and appoint a permanent Ombudsperson (while to date it is only temporary). Lastly, the Commission has called for closer ties between the US authorities and the Commission in order to monitor developments in the functioning of the Privacy Shield.
