In accordance with the Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield (notified under document C(2016) 4176), the Italian Data Protection Authority published on November 22, 2016, the resolution, which allows undertakings to transfer personal data from Italy  to organizations in the United States under the EU-U.S. Privacy Shield.

The EU-U.S. Privacy Shield is based on a system of self-certification by which U.S. organizations commit to a set of privacy principles — the EU-U.S. Privacy Shield Framework Principles, including the Supplemental Principles (hereinafter together: ‘the Principles’) — issued by the U.S. Department of Commerce. It applies to both controllers and processors (agents), with the specificity that processors must be contractually bound to act only on instructions from the EU controller and assist the latter in responding to individuals exercising their rights under the Principles.

Under the Decision of the EC, personal data are transferred under the EU-U.S. Privacy Shield where they are transferred from the Union to organizations in the United States that are included in the ‘Privacy Shield List’, maintained and made publicly available by the U.S. Department of Commerce, in accordance with Sections I and III of the Principles set out in Annex II.

The EU-U.S. Privacy Shield is constituted by the Principles issued by the U.S. Department of Commerce on 7 July 2016 as set out in Annex II and the official representations and commitments contained in the documents listed in Annexes I, III to VII.

Under the Decision, the EC will continuously monitor the functioning of the EU-U.S. Privacy Shield with a view to assessing whether the United States continues to ensure an adequate level of protection of personal data transferred thereunder from the Union to organizations in the United States.In addition,the Commission will present draft measures in accordance with the procedure referred to in Article 31(2) of Directive 95/46/EC with a view to suspending, amending or repealing this Decision or limiting its scope, if the U.S. public authorities so not comply with the representations and commitments contained in the documents annexed to the Decision, including as regards the conditions and limitations for access by U.S. public authorities for law enforcement, national security and other public interest purposes to personal data transferred under the EU-U.S. Privacy Shield.

Hence, taking into account principles set in the Decision of the EC, the Italian Data Protection Authority will be able to  verify anytime the lawfulness and fairness of data transfers to US organizations and to adopt, if necessary, the measures required under the Privacy Code.

Silvia Giampaolo

November 22th, 2016

News archive