Skip to content

Here’s what you need to know about the EU-US Privacy Shield

questions

This article is co-authored by Steve Farmer. Rafi Azim-Khan, a partner at Pillsbury, discusses what the next steps for the EU-US Privacy Shield are.

Back in February, the European Commission and the US Department of Commerce reached an accord on a new transatlantic data transfer protocol.

Nicknamed the EU-US Privacy Shield (Privacy Shield), there were high hopes that the framework would replace the 15-year-old Safe Harbor, which was invalidated by the European Court of Justice (CJEU) last year.

The announcement was met with an initial sigh of relief from those in the tech sector who had been relying on the now-defunct Safe Harbor for transferring data from the European Union.

However, whilst it appeared significant progress had been made, a recent rejection of the Privacy Shield by the Article 29 Working Party (Working Party), the group composed of representatives of the EU national data protection authorities, has arguably put matters back and underlined that the Privacy Shield is certainly not the silver bullet many of its advocates initially considered it to be.

Working Party Criticisms

Whilst the Working Party acknowledges that the Privacy Shield offers improvements compared to its predecessor, it identified a number of key flaws in its opinion as follows:

• Lack of clarity – its view is that the Privacy Shield documentation is difficult to understand, in particular there is “an overall lack of clarity”. It suggests that a glossary of terms should be added to the agreement’s appendix to clarify important concepts.

• No equivalent protection – one of the key concerns of the Working Party is that the US will continue not to hold European citizen’s data to the same standards as it is held to under EU laws. It notes that a number of EU data protection principles that are central to EU law are missing from the new framework.

For example, it notes that the Privacy Shield documentation does not address data retention adequately, raising concerns that it would not prevent an organisation in the US holding data indefinitely, when this would not be permitted in the EU.

• Problems with the ombusdsperson – whilst the Working Party welcomed the introduction of an ombudsperson to deal with complaints brought by data subjects, it has concerns that this person does not appear to be sufficiently independent.

In addition, it raised questions over whether the ombudsperson has sufficient powers to effectively exercise its duty and whether the redress mechanism is too complex.

• Collection of data by law enforcement – the Working Party goes on to express concerns in its opinion that “massive and indiscriminate” collection of data by US law enforcement agencies is not fully excluded and the circumstances in which law enforcement agencies may access data is unclear.

More specifically, it has concerns that exceptions to allow the bulk collection of data are inadequately defined e.g. “terrorism”, “cybersecurity threats” and “espionage”.

• Problems with the grace period – the Working Party was critical that organisations that certify within two months of approval of the Privacy Shield arrangement coming into force receive a nine month grace period from compliance with the third party contracting requirements (i.e. the Privacy Shield contains new requirements regarding contracts for onward transfers to third parties).

The Working Party considered that organisations should be compliant right away.

What Does This Mean For Businesses?

Whilst the Working Party’s opinion is non-binding, it does carry significant weight bearing in mind the authors behind it will retain substantial power to review individual data transfers made under Privacy Shield.

While the adoption of a new EU-US data transfer protocol is arguably preferable to the gaping hole that the invalidated Safe Harbor left in place, this opinion leaves the door open on several important issues that may ultimately undermine its efficacy.

In terms of next steps, the European Commission will now consult with a committee consisting of representatives of the EU Member States before it issues a final decision on what the Privacy Shield will look like.

If the final decision is voted through it is widely expected to be challenged via the European courts in the same way that Safe Harbor was, however.

Such question marks over the long term future of the Privacy Shield (added to by the built in mechanism which allows for it to be dismantled or substantially changed each year), arguably diminishes its value as a long term compliance solution and it is argued that it should not be relied on alone to safeguard trans-Atlantic transfers.

With these types of uncertainties on the table, it is argued that other options for transatlantic data transfers – namely model contract clauses and binding corporate rules – remain safer alternatives for tech companies than opting into the Privacy Shield.

The details will no doubt become clearer in the coming weeks, but in any event, companies would be best advised to consider all their options rather than placing too much faith in the Privacy Shield in light of these recent developments.

Topics

Register for Free

Get daily updates and enjoy an ad-reduced experience.

Already have an account? Log in