The European Commission has formally adopted a new framework for governing personal data transfers between the EU and the US, replacing the prior Safe Harbor agreement which was invalidated last fall, and aiming to end nine months of uncertainty.
The EU-US Privacy Shield agreement is another attempt to bridge two distinct legal regimes, aiming to achieve ‘essential equivalence’ of European data protection laws in the US where EU law does not have jurisdiction, while also providing legal certainty for businesses operating in the two regions.
It’s a balancing act that some expert commentators suggest is impossible without substantial reform of US laws.
But in a press conference today the lead negotiators from the two regions spoke from a joint podium to assert that after some two and half years of talks they have delivered “a framework that protects privacy and creates certainty”, as US secretary of commerce Penny Pritzker couched it. She also dubbed it a “milestone for privacy”.
EC commissioner Věra Jourová asserted that the Privacy Shield places stronger obligations on companies in the US to protect EU citizens’ data, noting for example the new ombudsman created to handle European citizens’ complaints to provide “easier redress possibilities”, and lauding the “assurances” secured from the US government that “any access to personal data for law enforcement or national security is limited to what is necessary and proportionate”.
She also took a moment to personally thank Pritzker for helping restore “trust” between the two regions — trust which took a battering after the 2013 Edward Snowden revelations revealed the extent of US mass surveillance programs.
The prior Safe Harbor regime, a self-certification program, was finally felled by a European Court of Justice exactly concerned by the impact of US mass surveillance program on European’s fundamental data protection rights.
But Jourová claimed Privacy Shield is “fundamentally different from Safe Harbor”, while also pointing to a new annual joint review process that she said will “make it easier to solve any problems that could arise”.
Earlier this year a draft version of the Privacy Shield agreement was criticized as not good enough by the influential Article 29 Working Party, made up of heads of EU Member States’ data protection agencies. The European Parliament also previously expressed concerns. But Jourová claimed the Commission has taken on board these criticisms, and has worked to make the final text “better and clearer”.
She went on to flag up a “strengthened and clarified role” for the ombudsperson; “better” clarification of instances when “bulk collection of data may occur and what distinguishes it from mass surveillance”; and “strengthened and clarified” obligations on companies signing up to the Shield, such as deleting personal data when it is no longer necessary.
The pair faced journalists questions including on the independence of the ombudsperson, the continued challenge of US surveillance programs, and the impact of a related privacy court case ongoing in Ireland.
On the latter they expressed confidence the Shield will stand up to any future court challenge — as Safe Harbor did not.
“We worked closely with the EC to ensure Privacy Shield will withstand court challenges,” said Pritzker. “With new privacy protections in place we are confident the framework will withstand further scrutiny.”
Jourová added she shares this believe, saying her confidence “stems from fact we have designed the rules of Privacy Shield based on the previous court judgement”.
European privacy campaigner Max Schrems, who brought the original challenge against Safe Harbor, disagrees.
In a statement today he dubbed the agreement “little more than a little upgrade” to Safe Harbor, adding: “It is very likely to fail again, as soon as it reaches the CJEU. This deal is bad for users, which will not enjoy proper privacy protections and bad for businesses, which have to deal with a legally unstable solution.”
Another questioner at today’s conference flagged up the fact that the incoming updated European data protection directive, the GDPR — due to come into force in 2018 — will mean the Privacy Shield needs to be reassessed to ensure it complies with the new legislation. On this Jourová said she is confident that a full renegotiation will not be necessary — asserting that the Privacy Shield principles include “many of the elements” in the GDPR.
Today’s adoption of the EU-US Privacy Shield follows a final vote by EU Member States last week. Four of the 28 countries abstained in that vote.
While, given the EC’s formal adoption of the agreement, the Privacy Shield decision enters into force immediately there is still a short period before companies can sign up — with the US commerce Department accepting certifications starting on August 1, to allow time for them to review the framework, which will be published in the US Federal Register, and update their compliance.
The EC said it also intends to publish a “short guide” for citizens explaining the available remedies should a person consider their personal data has been used without taking into account EU data protection rules.
Schrems is particularly scathing about the “patchwork of options” the Privacy Shield offers for private sector redress — which he argues starkly contrasts with the “effective detection and supervision mechanisms” required by the ECJ in its Safe Harbor decision.
He goes on to suggest businesses will be unlikely to rush to sign up to the Privacy Shield with lingering uncertainties about its robustness to legal challenge.
“While businesses will soon be able to sign up to the Privacy Shield system, it seems that many would only do so in addition to other – more stable – transfers mechanism like so-called “Model Contracts”,” he argued.
“It remains to be seen if a considerable number of US businesses will go through the expensive and somewhat complicated implementation procedure, if there is a high likeliness of legal challenges to the Privacy Shield system. Most expert lawyers recommend sticking with alternative mechanisms, or only using Privacy Shield as an additional option.”
“While it seems that so far, there are no immediate challenges planed, it can be suspected that there will be no lack of possible plaintiffs. In addition to activists and NGOs, the Data Protection Authorities in the 28 member states can refer the question to national courts and the CJEU. Even the European Commission mentioned the possibility of a legal challenge on the validity of the Privacy Shield,” Schrems added.