Last month, the EU Article 29 Data Protection Working Party (an authoritative EU body consisting of representatives of the national data protection authorities) published its views on the EU-US Privacy Shield.
If and when the Privacy Shield will be endorsed by the EU (ie. if the EU Commission adopts a decision declaring that the Privacy Shield provides an adequate protection) US-based companies will be able to adhere to the Privacy Shield and, as a result, they will be entitled to freely receive and handle personal data originating from the EU.
The Privacy Shield is the result of intense negotiations between the EU Commission and the US government that were accelerated when the Court of Justice of the EU, in October last year, held that the EU-US Safe Harbor program (ie. the Shield’s predecessor) was not compatible with the EU Data Protection Directive and with the Charter of Fundamental Rights of the European Union following revelations that EU originating personal data may be subject to large-scale surveillance by US authorities.
Why is the Privacy Shield important?
The EU takes the view that the US does not provide the same level of data protection as the level of protection provided by EU law.
Therefore, EU law makes transatlantic data flows subject to very cumbersome and strict obligations (such as, for instance, an obligation for EU data exporters to conclude pre-defined data transfer agreements with US-based data importers).
The Privacy Shield is meant to make such data flows easier while ensuring that the data remain sufficiently protected.
Why is the opinion of the Article 29 Working Party so important?
Firstly, because the Working Party consists of representatives of the various national data protection authorities in the EU. Therefore, opinions issued by the Working Party represent the views of the national privacy watchdogs and, although these opinions are not binding upon the EU Commission, it would not be wise for the Commission to disregard them.
Secondly, in its opinion of last week the Working Party has expressed strong concerns about the Shield. For example, the Working Party finds that all onward data transfers from a Privacy Shield entity to recipients in a third country should not lead to lower protection of the data or, worse even, to no protection data at all.
Another example: the Working Party finds the US does not provide sufficient commitment to exclude massive and indiscriminate collection of EU originating data.
The Working Party essentially insists that the EU Commission goes back to the negotiation table in order to improve the level of protection afforded by the Shield is indeed essentially equivalent to the level of protection afforded by EU laws.
I think that it is very optimistic to assume that the Commission will manage to get a new deal with the Americans soon. Indeed, the US government already indicated that there is very little (if any) margin left for (re)negotiating the Privacy Shield.
The clock is ticking
This autumn a new US president will be elected and it may well be that the new administration may have (far) less appetite to accommodate the EU’s privacy concerns than is the case for the current Obama administration. This is why the EU Commission is currently aiming to adopt its adequacy decision (thereby finalising the deal) as soon as possible.
I would not be surprised if the EU Commission would disregard the concerns raised by the Working Party and finalize the deal. After all, it will be up to the Court of Justice to decide whether or not the Privacy Shield is robust enough to stand the test and therefore to assess whether the Working Party’s concerns are justified. And it is likely that the Privacy Shield, once it enters into force, will be put up for judicial scrutiny in Europe in the near future.
Whatever the outcome of the current debate, it is clear that there will be quite some uncertainty about the reliability of the Privacy Shield. And therefore, I expect the Privacy Shield to become less popular than its predecessor, the Safe Harbor framework.
Also, I expect that businesses will, at least in the short to middle-long run, use other mechanisms to legitimize international data flows (eg. by implementing data transfer agreements or by implementing binding corporate rules).
As Winston Churchill used to say: “This is not the end. It is not even the beginning of the end. But it is, perhaps, the end of the beginning”.