Europe’s data regulators give Privacy Shield just one year to prove itself

27 Jul 2016

EU data regulators are giving the EU-US Privacy Shield one year to prove itself before they issue any formal legal challenges

Data protection authorities around Europe – part of the Article 29 Working Party – have given the new EU-US Privacy Shield one year to prove itself before they will issue any legal challenges.

While unhappy with the final text of the agreement – which replaces Safe Harbour – the Article 29 Working Party said it will wait for the first annual review before taking the EU, the US or corporations to task on data protection issues.

It is the first time that the 28 data protection regulators from around Europe commented on Privacy Shield since EU governments backed the new data sharing agreement in recent weeks.

‘A number of concerns remain, regarding both the commercial aspects and the access by US public authorities to data transferred from the EU’
– ARTICLE 29 WORKING GROUP

The decision not to issue legal challenges right away could be a source of huge relief for the many US corporations with operations in Europe.

The Privacy Shield replaces the previous accord, called Safe Harbour, which was declared invalid by the European Court of Justice last October.

Max Schrems and the demise of Safe Harbour

The demise of Safe Harbour came after a high-profile case by Max Schrems that exposed shortcomings in how tech firms protected EU citizens’ private information.

Its fate was sealed when Edward Snowden made his famous revelations about the NSA spying on Europeans’ data.

The Article 29 Working Party (WP29) said in a statement that it appreciated some of its concerns being taken on board in the final version of the Privacy Shield documents.

“However, a number of these concerns remain, regarding both the commercial aspects and the access by US public authorities to data transferred from the EU.

“Concerning commercial aspects, the WP29 regrets, for instance, the lack of specific rules on automated decisions and of a general right to object.

“Concerning access by public authorities to data transferred to the US under the Privacy Shield, the WP29 would have expected stricter guarantees concerning the independence and the powers of the Ombudsperson mechanism.

“Regarding bulk collection of personal data, the WP29 notes the commitment of the ODNI not to conduct mass and indiscriminate collection of personal data. Nevertheless, it regrets the lack of concrete assurances that such practice does not take place.”

WP29 said that the first joint annual review of Privacy Shield in mid-2017 will be a key moment for assessing the robustness and efficiency of the Privacy Shield mechanism.

“When participating in the review, the national representatives of the WP29 will not only assess if the remaining issues have been solved, but also if the safeguards provided under the EU-US Privacy Shield are workable and effective.

“The results of the first joint review regarding access by US public authorities to data transferred under the Privacy Shield may also impact transfer tools such as Binding Corporate Rules and Standard Contractual Clauses,” WP29 warned.

Another pivotal High Court case in Ireland involving Schrems, Facebook and the US government, and concerning EU-US data transfer channels, is scheduled for later this year and it could be 2018 before it gets a European Court of Justice judgement.

European legal image via Shutterstock

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com