Der EDPS beur­teilt den Pri­va­cy Shield als unzureichend

Der Euro­päi­sche Daten­schutz­be­auf­trag­te, Gio­van­ni But­tar­el­li (“EDPS”) hat sich am 30. Mai 2016 zum Pri­va­cy Shield geäu­ssert (Opi­ni­on 4/2016; PDF). Er kommt dabei u.a. zu fol­gen­dem Ergebnis:

The draft Pri­va­cy Shield may be a step in the right direc­tion but as curr­ent­ly for­mu­la­ted it does not ade­qua­te­ly include, in our view, all appro­pria­te safe­guard­sto pro­tect the EU rights of the indi­vi­du­al to pri­va­cy and data pro­tec­tion also with regard to judi­cial redress. Signi­fi­cant impro­ve­ments are nee­ded should the Euro­pean Com­mis­si­on wish to adopt an ade­qua­cy decis­i­on. In par­ti­cu­lar, the EU should get addi­tio­nal reassu­ran­ces in terms of neces­si­ty and pro­por­tio­na­li­ty, instead of legi­ti­mi­sing rou­ti­ne access to trans­fer­red data by U.S. aut­ho­ri­ties on the basis of cri­te­ria having a legal basis in the reci­pi­ent coun­try, but not as such in the EU, as affirm­ed by the Trea­ties, EU rulings and con­sti­tu­tio­nal tra­di­ti­ons com­mon to the Mem­ber States.

Moreo­ver, in an era of high hyper­con­nec­ti­vi­ty and dis­tri­bu­ted net­works, self-regu­la­ti­on by pri­va­te orga­ni­sa­ti­ons, as well as repre­sen­ta­ti­on and com­mit­ments by public offi­ci­als, may play a role in the short term whilst in the lon­ger term they would not be suf­fi­ci­ent to safe­guard the rights and inte­rests of indi­vi­du­als and ful­ly satis­fy the needs of a glo­ba­li­sed digi­tal world whe­re many count­ries are now equip­ped with data pro­tec­tion rules.

The­r­e­fo­re, a lon­ger term solu­ti­on would be wel­co­me in the trans­at­lan­tic dia­lo­gue, to also enact in bin­ding fede­ral law at least the main prin­ci­ples of the rights to be cle­ar­ly and con­cis­e­ly iden­ti­fi­ed, as is the case with other non EU count­ries which have been ‘strict­ly asses­sed’ as ensu­ring an ade­qua­te level of pro­tec­tion; what the CJEU in its Schrems judgment expres­sed as mea­ning ‘essen­ti­al­ly equi­va­lent’ to the stan­dards appli­ca­ble under EU law, and which accor­ding to the Artic­le 29 Working Par­ty, means con­tai­ning ‘the sub­stance of the fun­da­men­tal prin­ci­ples’ of data protection

Der EDPS bemerkt fer­ner, dass der Ent­wurf der Ade­qua­cy Decis­i­on für den Pri­va­cy Shield auf der Daten­schutz­richt­li­nie beruht, obwohl die DSGVO 2018 in Kraft tre­ten wird.




Ähnliche Beiträge