Most people will be aware of the EU-US Privacy Shield – the new framework for transatlantic data flows agreed by the European Commission and the United States.
It replaces Safe Harbor, which the Court of Justice of the European Union (“CJEU”) held not to provide adequate protection of European citizens' personal data, following a complaint by Austrian privacy activist, Maximilian Schrems, against Facebook.
The Commission states that the Privacy Shield provides stronger obligations on companies in the U.S. to protect the personal data of Europeans.
Its fact sheet upon the provisions appears here.
However, the Privacy Shield has been met with a less than universally positive response. “Lipstick on a pig” is Schrems’ verdict on the Privacy Shield, describing it as a superficial reinvention of its predecessor.
Here are five reasons why he holds this view:
- Bulk data collection will be allowed under specific circumstances; namely counter-terrorism, counter-proliferation, cybersecurity, countering cyberespionage, countering threats to the US or allied armed forces, and combating transnational criminal threats;
- Individuals will need to jump over several hurdles before being able to appeal to the complaints ombudsman if they consider that their data is being abused. The deadline of 45 days within which US companies must resolve customer complaints is unrealistic given the complexity of cross-border cases and the structure of large multinationals;
- Although it would not cost anything to pursue a case for redress, the compensation available is nil;
- Privacy Shield does not abolish the s.702 US Foreign Intelligence Act which facilitates the acquisition of foreign intelligence on non-US people; and
- The European Commission will be unable to assess whether Privacy Shield is working since the guidelines used by US surveillance agencies are secret.
So what next? The European Commission issued a draft “adequacy decision” on 29 February. The Article 29 Working Party, composed of representatives of the national data protection authorities, the European Data Protection Supervisor and the European Commission, is shortly to give its opinion on the adequacy decision (on 12/13 April) and representatives of the Member States are considering their positions. There have been reports that a key group of EU data protection authorities will not support the Privacy Shield in its present form. The German Association for Data Protection, for example, has said that it was “shocked” by the provisions of the Privacy Shield. (See here). The key questions are: how will the political battle play out? And, most importantly, will the Shield stand up to scrutiny by the CJEU?