Today, the EU-U.S. Privacy Shield deal has seen the light at the end of the tunnel, as Justice Commissioner Věra Jourová and U.S. Secretary of Commerce Penny Pritzker gave it the final stamp.
The Privacy Shield replaces the Safe Harbor agreement, which was in place for 15 years before the European Court of Justice (‘ECJ’), in its Schrems judgement, nullified the agreement that, according to the European Commission (‘Commission’), gave privileged status to U.S. companies, allowing them to “self-certify” they complied with privacy standards agreed between the Commission and the U.S. Department of Commerce. As a result of this judgment, a new framework was needed.
On February 2, 2016, after two years of intense discussions, the EU and the U.S. reached a new political agreement on commercially driven transatlantic transfers of personal data: the Privacy Shield.
In order to implement the Privacy Shield, a so-called ‘adequacy decision’ was required from the Commission, thus acknowledging that a third country (in this case: the United States) is compliant with EU standards of data protection through its domestic law and international commitments.
Such an adequacy decision needed to be taken based on the Commission’s draft decision texts, which it presented on February 29, 2016. The adequacy decision was reached through the comitology procedure, which involved the following three consecutive steps:
First, the Article 29 Working Party, established under Article 29 of the Data Protection Directive, and which is an advisory body that acts independently and is composed of national data privacy authorities, was required to give its insight into the proposed agreement. The Working Party recognized the important improvements in the new Privacy Shield, but was still concerned that it did not go far enough to comply with EU privacy law. Nevertheless, it adopted a nonbinding positive opinion on the scheme on April 13, 2016.
Secondly, the Article 31 Committee, established under Article 31 of the Data Protection Directive, and which is composed of representatives of Member States, needed to give its binding support to the agreement, which it indeed did on July 8, 2016. However, despite a high level of reassurance, Austria, Bulgaria, Croatia, and Slovenia abstained in this decision. According to a Politico Pro news article, Austria was known to have reservations: the country is proud of its own data protection regime and previously voted against the EU’s General Data Protection Regulation because it deemed the law too weak. Slovenia and Croatia sided with Austria, while Bulgaria apparently did not have voting instructions from its capital. No one voted against.
Finally, the decision was formally adopted by the joint College of Commissioners through a written procedure (meaning it was distributed to all 28 cabinets of the Commissioners, who had a certain time frame to comment) on July 11, 2016, thus declaring the “adequacy” of the U.S. data privacy framework.
And today, July 12, 2016, there was a formal ceremony for the signing of the deal, after which the final deal was presented by European Justice Commissioner Věra Jourová and U.S. Secretary of Commerce Penny Pritzker at a press conference in Brussels. They announced that companies looking to transfer data across the Atlantic will be able to apply for the “privacy shield” mechanism next month, as they will begin to accept certifications on August 1, 2016. They further said that the United States and EU will brief companies on the details of the application process later this week, probably Thursday. The Commission also plans to release a ‘citizens’ guide’ which will discuss “all the available redress options”.
According to the Commission’s press release, the end result is a new agreement that imposes firmer obligations on U.S. companies to protect Europeans' personal data, requiring stronger monitoring by the competent U.S. authorities, including through close cooperation with European Data Protection Authorities. For instance, the U.S. Department of Commerce will have to conduct regular updates and reviews on rules imposing strong obligations on participating companies, giving it the power to remove them from the authorized list and to impose sanctions for noncompliance.
The new arrangement further demands that U.S. public authorities are subject to clear conditions, limitations, and oversight when accessing personal data transferred under the Privacy Shield, to prevent widespread access. Access to public data will thus be subject to defined conditions, and bulk data collection will be as narrow as possible with no automatic right to the collection of such data. In addition, EU citizens will benefit from an ombudsman mechanism and an independent and free arbitration service in case of disputes.
Lastly, there will be a regular review through the annual joint review mechanism which will monitor the functioning of the Privacy Shield, including the commitments and assurance regarding access to data for law enforcement and national security purposes.
On the U.S. side, the Secretary of Commerce announced as well that companies could submit self-certifications of compliance with the new Privacy Shield obligations beginning August 1.
However, it is not entirely sure whether the deal is completely out of the woods. Privacy activists are ready to challenge the deal in court. According to Max Schrems (of the ECJ Schrems judgement), “this deal is bad for users, which will not enjoy proper privacy protections, and bad for businesses, which have to deal with a legally unstable solution.” This in turn raises concerns that companies will be reluctant to sign on, out of fear that the deal will eventually be struck down.