The EU-US Privacy Shield is a data transfer framework which provides for the transfer of personal data of EU citizens to the US for processing without the risk of breaching fundamental European privacy rights. The framework was agreed in February 2016 and opened for sign-up in August. More than 2000 companies have signed up, including big guns like Facebook, Microsoft and Google.
Privacy Shield replaced the Safe Harbor program, which was invalidated by the European Court of Justice in October 2015. The key concerns leading to the decision was the indiscriminate and excessive government access to EU citizen’s personal information and the lack of judicial redress mechanisms for EU citizens for privacy-related complaints.
The new framework aims to offer more robust privacy guarantees, including:
- Stronger requirements and accountability for onward transfer. To make a transfer to an agent (or processor), an organisation must comply with the principle of purpose limitation, ensuring the agent provides the same level of protection as required by Privacy Shield, and stopping and remediating unauthorised processing.
- Dispute resolution. Each organisation is required to appoint an independent recourse mechanism such as the Direct Marketing Association or TRUSTe. Data subjects are encouraged to take their complaints to the organisation first. Failing a satisfactory resolution, they should approach the independent recourse mechanism who must investigate and resolve complaints and disputes expeditiously and at no cost to the individual.
- The types of enforcement authorities have been expanded and now includes the Department of Commerce, the Federal Trade Commission, the Department of Transportation and European DPAs.
Despite these improvements (not all changes have been listed here), the program has always had its critics which claim it contains the same fundamental flaws as its predecessor. A recent motion put forward by MEPs cited concerns with the Privacy Shield, including how the scheme addresses US bulk surveillance powers and accounts for judicial redress for EU citizens in the US. It also highlighted concerns about limitations on the rights of data subjects and inconsistencies in wording compared with EU data protection law.
We’ll see what comes up at the inaugural annual review into the operation of the Privacy Shield which is to take place in September. The EUs Article 29 Working Party (the body made up of representatives from Member State’s DPAs) describes the review as “a fact-finding mission in order to collect the relevant information and necessary evidence to assess the robustness of the Privacy Shield’. Both EU and US officials will participate in the review.
Isabelle Falque-Pierrotin, chair of the Article 29 Working Party (WP29), said the review should address both “commercial aspects” and issues pertaining to “law enforcement and national security”.
In an accompanying statement published alongside the letter it sent to the EU’s justice commissioner, the WP29 said: “As for the commercial part, the WP29 has questions concerning, among others, the existence of legal guarantees regarding automated decision making or the existence of any guidance made available by the DOC (US Department of Commerce) regarding the application of the Privacy Shield principles to organisations acting as agents/processors. Clarifications that will be sought also include the definition of human resources data.”
“Regarding the law enforcement and national security part, the WP29 has questions relating in particular to the latest developments of US law and jurisprudence in the field of privacy. The WP29 also seeks … precise evidence to show that bulk collection, when it exists, is ‘as tailored as feasible’, limited and proportionate,” it said.
The WP29 has also indicated that subject to the outcome of the joint review and the report of the Commission, it may present a separate public report and an updated assessment of the Privacy Shield in a separate statement based on the findings presented to their review team.
We’re excited to see the Commission and the WP29’s findings.