The EU–US Privacy Shield has passed its first annual review, despite many prominent parties expressing concern over its effectiveness.
The Privacy Shield is the legal basis for transferring data between the EU and US. It replaced Safe Harbor on 1 August 2016, the former framework being scrapped after it was deemed unfit for purpose. To prevent the same issue happening again, representatives of the EU and US agreed to annually review the Privacy Shield.
European privacy campaigner Max Schrems, the person largely responsible for the demise of Safe Harbor, believed the Privacy Shield was no better, calling it muddled and “very likely to fail”.
Schrems wasn’t alone in his criticism: many other people expressed concern over the collection of evidence to verify the functioning of the Privacy Shield, mass spying by US surveillance agencies and the US government’s commitment to the agreement.
Digital Rights Ireland filed a legal challenge against the Privacy Shield, and the Article 29 Working Party (WP29), an advisory body made up of representatives from each EU member state, sent a damning letter to the European Commission.
New concerns emerged with the inauguration of President Trump. In June, TechCrunch wrote that the Privacy Shield looks “especially precarious in Trump’s America, given the president’s apparent disregard for the rights of non-Americans”.
Speaking in August, European Data Protection Supervisor Giovanni Buttarelli said it was “surprising” that the Trump administration still hadn’t appointed anyone to fill the ombudsman role or any of the four vacant positions on the US government’s Privacy and Civil Liberties Oversight Board.
He also described the Privacy Shield as “an interim instrument for the short-term. Something more robust needs to be conceived”.
So why was it approved?
Following the review, EU justice commissioner Věra Jourová and US secretary of commerce Wilbur Ross issued a joint statement praising the Privacy Shield. They wrote:
“Officials noted that this input greatly informed the review process and will lead to continued improvements to the functioning of the program.
“The review examined all aspects of the administration and enforcement of the Privacy Shield, including commercial and national-security related matters, as well as broader US legal developments. […] The United States and the European Union share an interest in the Framework’s success and remain committed to continued collaboration to ensure it functions as intended.”
The immediate future of the Privacy Shield was also boosted by the WP29’s decision last year not to sue until it had a chance to look at proposed reforms following the review process. With that review now over, the WP29 will surely closely examine the long-term viability of the framework.
How will this affect the GDPR?
The Privacy Shield’s scope differs significantly from the EU General Data Protection Regulation (GDPR), the forthcoming law to strengthen EU residents’ rights and freedoms concerning personal data. Signing up for the Privacy Shield won’t satisfy the GDPR’s processing clauses, as the framework only concerns the protection of personal data under the Data Protection Directive in transatlantic data flows.
Any organisation that transfers data between the EU and US should proceed on the basis that they will have to comply fully with the requirements of the GDPR. Because of the complexity of the Regulation, organisations need to start preparing now if they haven’t already done so.
Our EU General Data Protection (GDPR) Documentation Toolkit can simplify the compliance process. Designed and developed by expert GDPR practitioners, it provides all the templates, worksheets and policies you need to comply with the documented aspects of the Regulation.