A new legal framework for enabling transfers of data across the Atlantic came into force on Tuesday.
However, it is already facing opposition from legal activists and pressure groups — suggesting a formal legal challenge is not far away.
“Privacy Shield” is a mechanism that legistimises the transfer of personal data from Europe to the US, despite the two regions’ differing legal frameworks.
Thousands of companies send personal data back and forth between the EU and the US on a daily basis — from customer data to employee payroll information — so its imperative that there’s a clear legal framework to ensure the data is subject to adequate protections.
Historically, this had been done via “Safe Harbour,” a way companies in the US handling Europeans’ data could self-certify as complying with Europe’s stricter regulations.
But it was struck down by the European Court of Justice (ECJ) in 2015 following a legal challenge, over concerns that US mass surveillance meant Europeans’ data was not being properly protected.
This plunged the companies reliant on Safe Harbour into a legal limbo, and sent European and US regulators scrambling for a replacement. (In some circumstances, there are alternate mechanisms that can be used to legitimise the transatlantic transfer of data, but none are as straightforward as Safe Harbour was.)
In February 2016, we got our first look at it: “Privacy Shield.”
Key details included free dispute resolution mechanism for users, “clear safeguards and transparency obligations on US government access,” the creation of a independent US ombudsman, and a yearly review of the agreement.
After some debate, Privacy Shield was approved by national representatives on Friday, and comes into force on Tuesday — today.
“We have approved the new EU-U.S. Privacy Shield today,” Andrus Ansip, Commission Vice-President for the Digital Single Market, said in a statement. “It will protect the personal data of our people and provide clarity for businesses. We have worked hard with all our partners in Europe and in the US to get this deal right and to have it done as soon as possible. Data flows between our two continents are essential to our society and economy — we now have a robust framework ensuring these transfers take place in the best and safest conditions.”
The “adequacy decision” comes into force immediately, with companies able to start certifying from August 1.
But there is already opposition to the new agreement.
Max Schrems, a privacy lawyer whose case against Facebook invalidated the original Safe Harbour, slammed Privacy Shield in a statement, and expects it to end up right back in the European courts. He said (emphasis ours):
“Privacy Shield is the product of pressure by the US and the IT industry — not of rational or reasonable considerations. It is little more than an little upgrade to Safe Harbour, but not a new deal. It is very likely to fail again, as soon as it reaches the CJEU. This deal is bad for users, which will not enjoy proper privacy protections and bad for businesses, which have to deal with a legally unstable solution. The European Commission and the US government managed to make everyone miserable, when they could have used this opportunity to upgrade the protections that are crucial for consumer trust in online and cloud services.”
Similarly, civil liberties group Access Now said it “fails to address the substantial shortcomings of the agreement identified by the EU data protection authorities, the EU Parliament, and privacy experts and civil liberties groups.”
At least one legal challenge now looks likely — and that means further uncertainty for businesses, which will be hesitant to rely to heavily on it lest it is struck down, just like its predecessor.