Written by Jan Baeverstroem,
On 2 February 2016 the College of Commissioners approved the political agreement on the ‘The EU-US Privacy Shield’ , which was followed on 29 February 2016 by a draft “adequacy decision ” and the communication ‘Transatlantic Data Flows: Restoring Trust through Strong Safeguards ‘. The Commission has also made the US Government’s written commitments available (Annex 1-7).
A Fact sheet gives an overview and in a FAQ the Commission underlines ‘that any access by public authorities to personal data transferred under the new arrangement on national security grounds will be subject to clear conditions, limitations and oversight, preventing generalised access’, and that ‘the newly created Ombudsperson mechanism will handle and solve complaints or enquiries raised by EU individuals in this context’.
At a hearing on the Privacy Shield in the European Parliament’s Civil Liberties, Justice and Home Affairs Committee (LIBE) on 17 March 2016, among others the European Data Protection Supervisor, Max Schrems, and David Martin from the Bureau Européen des Unions de Consommateurs (BEUC) intervened.
On 13 April 2016, Isabelle Falque-Pierrotin, chairwoman of the Article 29 Working Party, discussed the Privacy Shield pros and cons at a news conference . The opinion of the working party, published the same day, criticises several aspects of the draft decision; provisions on purpose limitation, data retention, onward transfers and redress principles. The opinion was commented on by the European Commissioner for Justice,Vera Jourova , who stated that it contains ‘a number of useful recommendations and the Commission will work to swiftly include them in its final decision.’
In the meantime, the Judicial Redress Act, an act that would provide EU citizens with access to judicial redress in the US passed the Congress and was signed into law by the President on 24 February 2016. The Congresssional Research Service has written an analysis, ‘Judicial Redress Act 101 – What to Know as Senate Contemplates Passing New Privacy Law’, published on 21 January 2016.
See also the ERPS At a glance ‘The ECJ Schrems case and Safe Harbour decision ‘ by Shara Monteleone and Laura Puccio published on 25 October 2015.
EU positions
Opinion 01/2016 of the Article 29 Working Party on the EU – U.S. Privacy Shield draft adequacy decision – WP 238, 13 April 2013
‘The fact that the principles and guarantees afforded by the Privacy Shield are set out in both the adequacy decision and in its annexes makes the information both difficult to find, and at times, inconsistent. This contributes to an overall lack of clarity regarding the new framework as well as making accessibility for data subjects, organisations, and data protection authorities more difficult. Similarly, the language used lacks clarity. The WP29 therefore urges the Commission to make this clear and understandable for both sides of the Atlantic.’
Statement of the Article 29 Working Party on the publication of the draft “adequacy-decisiony , 29 February 2016
The Article 29 Working Party welcomes the publication of the draft “adequacy-decision” of the European Commission as well as of the legal texts that constitute the EU-U.S. Privacy Shield arrangement. These documents have to be analyzed with great attention as regards the need for restoring trust in transatlantic data flows
The Article 29 Working Party (WP29) welcomes the fact of the conclusion of the negotiations between the EU and the U.S.on the introduction of a “EU-U.S. Privacy Shield” , 3 February 2016
‘It meets the deadline set by the WP29 in its statement of 16 October. It looks forward to receive the relevant documents in order to know precisely the content and the legal bindingness of the arrangement and to assess whether it can answer the wider concerns raised by Schrems judgment as regards international transfers of personal data.’
Statement of the Article 29 Working Party (WP29) met to discuss the consequences of the CJEU judgment in the Schrems case, 3 February 2016
‘The WP29 calls on the Commission to communicate all documents pertaining to the new arrangement by the end of February. The WP29 will then be in position to complete its assessment for all personal data transfers to the U.S. at an extraordinary plenary meeting that will be organized in the coming weeks. After this period, the WP29 will consider whether transfer mechanisms, such as Standard Contractual Clauses and Binding Corporate Rules, can still be used for personal data transfers to the U.S. In the meantime, the WP29 considers that this is still the case for existing transfer mechanisms.’
European Antitrust Chief Takes Swipe at Privacy Issue / by Mark Scottjan, 17 January 2016
‘“If a few companies control the data you need to cut costs, then you give them the power to drive others out of the market,” Ms. Vestager said at the DLD conference, a gathering of digital executives and policy makers.’
Communication from the Commission on the Transfer of Personal Data from the EU to the United States of America under Directive 95/46/EC following the Judgment by the Court of Justice in Case C-362/14 (Schrems), COM(2015) 566 final, 6 November 2015
‘The present Communication is without prejudice to the powers and duty of the DPAs to examine the lawfulness of such transfers in full independence8. It does not lay down any binding rules and fully respects the powers of national courts to interpret the applicable law and, where necessary, to make a reference to the Court of Justice for a preliminary ruling. Nor can this Communication form the basis for any individual or collective legal entitlement or claim.’
Article 29 Data Protection Working Party statement on the implementation of the judgement of the Court of Justice of the European Union of 6 October 2015 in the Maximilian Schrems v Data Protection Commissioner case (C-362-14 ), 16 October 2015
” the Working Party will continue its analysis on the impact of the CJEU judgment on other transfer tools. During this period, data protection authorities consider that Standard Contractual Clauses and Binding Corporate Rules can still be used. In any case, this will not prevent data protection authorities to investigate particular cases, for instance on the basis of complaints, and to exercise their powers in order to protect individuals.”
US Comments
Statement of FTC Federal Trade Commission Chairwoman Edith Ramirez on EU-U.S. Privacy Shield Framework, 29 February 2016
‘As I affirmed in my letter to EU Commissioner Vĕra Jourová , the FTC will make enforcement of the new framework a high priority, and we will work closely with our European counterparts to provide robust privacy and data security protections for consumers in the United States and Europe.’
Attachements to the abovementioned letter:
The EU-U.S. Privacy Shield Framework in Context : An Overview of the U.S. Privacy and Security Landscape
Privacy and Data Security : update 2015
The US legal system on data protection in the field of law enforcement : Safeguards, rights and remedies for EU citizens / Francesca Bignami, George Washington University Law School & Alessandro DAVOLI. Policy Department C – Citizens’ Rights and Constitutional Affairs, May 2015
‘It reviews two principal sources of US data protection law, the Fourth Amendment to the US Constitution and the Privacy Act of 1974. It also considers the legally prescribed methods of data collection, together with their associated data protection guarantees, in ordinary criminal investigations and national security investigations. Throughout, the study pays special attention to the rights afforded to EU citizens.’
The EU-U.S. Privacy Shield: What’s at Stake / The Information Technology Industry Council (ITI), 16 February 2016
Data Flows are Essential to the EU-U.S. Trade Relationship — Potential Macroeconomic Costs of Disruption — Examples of impacts on companies [if no legal basis exists to transfer data from Europe]
The U.S. Privacy and Data Protection Framework : Basic Characteristics and Recent Reforms / The Information Technology Industry Council (ITI), 18 January 2016
This briefing paper is intended to assist EU data protection authorities (DPAs), EU and Member State government officials, and others in their evaluation of the legal framework for privacy and data protection in the United States.
Civil Society comments
From an unSafe Harbour to a Privacy Shield full of holes / Anna Fielder, Privacy International, 12 April 2016
‘If one compares Europeans’ rights under EU law to Europeans’ rights under the current Privacy Shield, holes are immediately apparent. The current ‘Privacy Shield’ agreement does not let Europeans exercise their full rights’.’
27 U.S., EU Rights Groups Say Privacy Shield Must Be Renegotiated , 20 March 2016
‘Digital rights and civil liberties groups have called on European Union officials to renegotiate the so-called Privacy Shield framework for transatlantic data flows.’
EU-US Privacy Shield: recorded Webinar and what to expect from the death of Safe Harbor / Ruth Boardman, Ariane Mole, James Mullock, Dr Fabian Niemann, Benoit Van Asbroeck, Bird & Bird, 4 February 2016
‘Experts from a number of Bird & Bird offices provided a second webinar on Wednesday 3 February to analyse the Privacy Shield and announcements, and answer a number of questions on how businesses should react. This has been recorded and is available at the link below.’
The Safe Harbour is Dead, long live the Not-so-safe Harbour? / Transatlantic Consumer Dialogue (TACD), 3 February 2016
‘On the evidence so far, we remain sceptical of the adequacy of the new system for data transfers being put in place and urge the Authorities to begin data protection enforcement proceedings in due course and without delay, for the companies that are relying on the now illegal Safe Harbour only’
Background information
Legal Analysis of the EU-U.S. Privacy Shield : an adequacy assessment by reference to the jurisprudence of the Court of Justice of the European Union / Hogan Lowells, 2016
‘The Privacy Shield is crucial in bridging the gap between European and American approaches to privacy and it is therefore essential that it can be relied upon with complete certainty.’
The EU-US Privacy Shield – is it strong enough? / Alison Deighton, Privacy & Data Protection, P. & D.P. 2016, 16(4), 8-10
Privacy Shield vs. Safe Harbor: A Different Name for an Improved Agreement? / Sotirios Petrovas and Cynthia Rich, Morrison & Foerster, 3 March 2016
‘The new agreement is aimed at restoring the trust of individuals in the transatlantic partnership and the digital economy, and putting an end to months of compliance concerns of U.S. and EU companies alike. The draft will be discussed with EU data protection authorities (“DPAs”) and adopted by Member States representatives before it becomes binding.’
EU-US-Privacy Shield – Wie sieht die Zukunft des transatlantischen Datenverkehrs aus? / Timon Grau und Thomas Granetznyzur, Neue Zeitschrift für Arbeitsrecht, 2016, Heft 7 (Seite 385-448)
‘Die Rechtsunsicherheit für betroffene Unternehmen ist durch die Verlautbarung zum EU-US Privacy Shield jedenfalls noch nicht beseitigt und auch in Zukunft werden Unternehmen ihre Prozesse zur (Personal-)Datenübermittlung analysieren und gegebenenfalls anpassen müssen.’
EU-US Privacy Shield to Replace Safe Harbor / Pulina Whitaker, Morgan Lewis, Global Security Magazine, February 2016
‘examination of the new EU-US Privacy Shield replacing the Safe Harbor programme.’
Privacy Shield : Microsoft prédit un durcissement des conflits juridiques / Le Monde Informatique, Le 24 Février 2016
EU Data Protection Authorities Enforcement Guidance Post-Schrems / National Law Review, 21 February 2016
‘Industry eagerly awaits further guidance from data protection authorities (“DPAs”) relating to the EU-U.S. Privacy Shield as well as on the validity (or otherwise) of other mechanisms for transfers to the U.S. such as standard contractual clauses (“SCCs”) and binding corporate rules (“BCRs”)’
Noch keine Nachfolge von Safe Harbor / Ausschuss Digitale Agenda/Ausschuss, Deutscher Bundestag, 17 February 2016
‘Es gebe bislang lediglich Ankündigungen eines Ergebnisses der Verhandlungen zwischen der EU-Kommission und den USA zu dem sogenannten EU-US-Privacy Shield, worüber die Datenschutzbeauftragten Anfang Februar mündlich in Kenntnis gesetzt worden seien, sagte Voßhoff. Diese Ergebnisse seien durchaus vielversprechend, aber im Detail auch mit vielen Fragezeichen versehen’
Privacy should be protected in law, not in promises / By Claude Moraes, The Hill, 15 February 2016
After Safe Harbor: Bridging the EU-U.S. Data-Privacy Divide / Abraham Newman, World Politics Review, 9 February 2016
‘A more realistic solution would be for the U.S. to create an institutionally independent oversight authority that could monitor and implement trans-Atlantic privacy accords. In addition to the Safe Harbor dispute, the EU and U.S. have struggled to reach agreements on sharing airline data, financial data and law-enforcement data. Across all of these negotiations, the lack of an institutional counterpart in the United States has been a major point of conflict”
The EU-US Privacy Shield agreement explained – preparing for uncertainty / John E.Dunn, ComputerWorld, 8 February 2016
‘The EU and the US are edging towards Safe Harbour 2.0. But is trust gone forever?’
EU-U.S. Reach Deal on Safe Harbor 2.0 – Pact Creates New Data Transfer Framework Saturday / The National Law Review, February 6, 2016
Privacy Shield’ and what Safe Harbour 2.0 means for global data exchange / by Chloe Green, Information Age, 5 February 2016
‘With accountability at the core of the new EU Regulation on data protection, businesses in the US and the EU will have to adapt and comply to keep conducting business in international markets’
Le Privacy Shield apporte-t-il plus de garanties que le Safe Harbor ? / Le Monde Informatique, Le 4 Février 2016
Live. Die. Repeat. The ‘Privacy Shield’ deal as ‘Groundhog Day’: endlessly making the same mistakes? / Steve Peers, EU Law Analysis, 3 February 2016
Du Safe Harbor au « Privacy Shield » : de réels progrès ou “blanc bonnet, bonnet blanc” ? / Anne-Sophie Mouren, avocat chez Pinsent Masons, Le Monde Informatique,, Le 3 Février 2016
Why Safe Harbor 2.0 will lose again : Ars talks with privacy campaigner Max Schrems / by Jennifer Baker, ArsTechnica, 2 February 2016
U.S. and Europe in ‘Safe Harbor’ Data Deal, but Legal Fight May Await / By Mark Scott, New York Times, 2 February 2016
European and U.S. negotiators agree on new ‘Safe Harbor’ data deal / By Ellen Nakashima and Andrea Peterson, Washington Post, 2 February 2016
