It took a great deal of negotiation efforts, but the European Commission implementing decision on the adequacy of the protection provided by the EU-US Privacy Shield is finally out. A step the Commission is proud of.
The new agreement includes a series of safeguards on how the data of European citizens will be used, the right for European citizens to go to American courts when they think companies or the US government have misused their data, written guarantees from American officials that government agencies will not indiscriminately collect and monitor European data without a reason, and a joint annual review which will allow to monitor the functioning of the Privacy Shield. Moreover, a new institution – the so-called Ombudsperson – at the State Department has been created and will be in charge of handling European complaints about unfair collection and use of data by government agencies.
Businesses might feel relieved to leave the jurisdictional limbo they were in since the invalidation of the Safe Harbor decision. Big American companies seem unanimous in their view that the agreement will “guarantee a high level of protection for personal data of EU citizens, and restore trust for all stakeholders”.
But their relief might not last long. Jan-Philipp Albrecht (lead negotiator on EU data protection) and Max Schrems have urged the European Commission to hold off on activating the Privacy Shield as it will be “highly likely” that the new agreement will be invalidated. In a recent article, they state that “this ombudsperson is not what the European Court of Justice meant when it asked for individual redress” and that the new agreement fails to address the concerns raised by the ECJ in its ruling that invalidated the Safe Harbor.
It remains to be seen whether (or better when) legal challenges will be presented to the ECJ or whether the Court will autonomously review the Privacy Shield to see if it meets European standards. Critically important in this regard will be the outcome of a new case which has recently been brought to the ECJ. The Irish privacy watchdog announced in May that it would refer Facebook’s data transfer mechanism (the model contract clauses) to the Court. If the ECJ should rule that the mechanism is invalid, this will be a strong new signal that data transfers can’t happen unless there is a serious change in US laws.
The development of the discussion on both sides of the Atlantic will be especially interesting to follow in the light of General Data Protection Regulation – the new data protection framework which will soon apply in the EU. American companies have a bit less than two years to figure out how to deal with the extraterritorial application of the new data protections rules – a weak protection of European citizens’ rights could otherwise have bitter consequences.