Though the European Commission adopted the EU-US Privacy Shield in July, there was some question as to whether 28 European data watchdogs would allow it to be implemented as-is. The regulators have now cleared the way, noting that it may run for a period of one year, after which there will be a joint review of its successes and failures.
For its part, the Article 29 Working Party (WP29) applauded the measure but also raised a number of concerns as to Privacy Shield’s efficacy, regarding both the commercial aspects of the framework and the ability for access by US public authorities to data transferred from the EU.
The Privacy Shield is a measure that was meant to replace the Safe Harbor agreements on data privacy that failed in February. Under European data privacy principles, companies operating in the EU are not allowed to send personal data to countries with less stringent privacy regulations. The US is considered to be one such country. To overcome this commercial difficulty, the two sides had developed the Safe Harbor agreement: Provided that the US company concerned agrees to abide by certain privacy guarantees, it was able to receive personal data from EU sources.
But the Edward Snowden revelations on the NSA Prism surveillance program prompted many European politicians and private citizens to question whether the Safe Harbor arrangement was actually compatible with EU privacy dictates. And so, after being in place for 15 years, it was declared to be invalid in October 2015, with Privacy Shield agreed upon in February 2016 and revised by the WP29 later that month.
Privacy Shield will see the US create an ombudsman position within the State Department to field complaints from EU citizens about US spying, and prevents indiscriminate mass surveillance of Europeans' data.
The idea is to ensure that the $250 billion dollars of transatlantic trade in digital services can continue unhindered, by wrapping assurances from the US about the handling of cross-border data transfers. It also provides for enforcement actions.
“For the first time, the US has given the EU written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizens' data,” Commission vice-president Andrus Ansip and Justice Commissioner Vera Jourova said in a statement at the time. “Last but not least, the Privacy Shield protects fundamental rights and provides for several accessible and affordable redress mechanisms.”
The WP29 however cites a lack of specific rules on automated decisions and of a general right to object. The group also said that it remains unclear how the Privacy Shield Principles shall apply to processors.
Concerning access by public authorities to data transferred to the US under the Privacy Shield, the WP29 said that it wants stricter guarantees concerning the independence and the powers of the Ombudsperson mechanism. It also said that there is a lack of a concrete assurance on the part of the US that bulk collection of European data will not take place.
The WPA29 expects these issues to be discussed at the first joint annual review of the Privacy Shield mechanism.
“The approval of the Privacy Shield was a step in the right direction for global commerce,” said Aaron Simpson, partner at Hunton & Williams, in an email to media. “The negotiation process was long and winding, but in the end an appropriate balance was struck between protecting the rights of data subjects in the EU and providing a practical framework for businesses to transfer data between the EU and the US… Although the path forward is not crystal clear, given that the alternatives to the Privacy Shield face challenges of their own, [the] announcement should provide the comfort many companies were looking for from the Working Party before committing to the Shield.”
Photo © Andrey_Kuzmin