According to a tweet, Giovanni Buttarelli − the European Data Protection Supervisor (EDPS) − declared during the 2016 edition of the conference Computers, Privacy and Data held in Brussels: “Don’t do it again!” This declaration was addressed to the Privacy Shield negotiators.
On the one hand, the announcement of bilateral supervision measures and enforcement mechanisms to replace the ex-Safe Harbor offers real hope to EU citizens and industry. But on the other hand, Buttarelli’s concerns reveal the gap existing between political commitments and legal reality. Currently, there is no evidence that the new EU-U.S. Privacy Shield will pass the necessary hurdles. The EU Parliament, the Article 29 Working Party (WP29) and the EDPS are important actors and they will play their watchdog role to avoid a new devastating decision of the Court of Justice of the EU (CJEU) in the future. There are several issues that will be scrutinized by these actors, including the following:
- Will the U.S. commitment not to carry out mass surveillance be implemented in enforceable regulations?
- Will the EU citizens’ redress rights be supported by adequate procedural?
- Will the U.S. ombudsperson be sufficiently independent?
Concerning this last issue, one must remember that Germany in 2010 (C‑518/07) and Hungary in 2014 (C‑288/12) were condemned by the CJEU for the lack of independence of their data protection authorities (DPAs).
Furthermore, the WP29 announced that the review process should provide the opportunity to assess the validity of the other transfer instruments, i.e. the Standard Contractual Clauses and the Binding Corporate Rules. Indeed, there were concerns about the possibility that the CJEU’s reasoning in Schrems (C-362/14) could be used to challenge these instruments. In this context, the legal failure of the Privacy Shield could be even more destructive than the crisis we just experienced.
For more information on ex-Safe Harbor and EU-U.S. Privacy Shield, please refer to the following prior Password Protected blog posts: