The European Commission yesterday issued an adequacy decision adopting the EU-US Privacy Shield, which replaces Safe Harbor as a framework for protecting European data transferred to the United States. Adoption had been expected since the European Commission announced on Friday that Member States had given their “strong support” to the new framework (although we note that Austria, Bulgaria, Croatia and Slovenia abstained from voting).
Are there any final changes?
There have been some tweaks to the Privacy Shield regime since the draft adequacy decision was issued in February. These include:
- additional clarifications on the bulk collection of data. In particular, the Office of the Director of National Intelligence has clarified that the bulk collection of EU data can only be used under specific preconditions and must be “as targeted and focused” as possible;
- introducing more explicit obligations on companies as regards limits on retention and collection of data. Specifically, companies now have to delete data that no longer serves the purpose for which it was collected; and
- strengthening the Ombudsperson mechanism. In its press release, the Commission makes clear that the Ombudsperson is independent from the US intelligence services.
What were the criticisms?
The changes are intended to address a critique of Privacy Shield issued in April by European data protection regulators (aka the Article 29 Working Party), which concluded that Privacy Shield – while a huge improvement on Safe Harbor – still did not meet EU privacy standards. This was largely because:
- massive and indiscriminate data collection by American authorities was still not fully excluded;
- the Privacy Shield lacked an explicit data retention principle; and
- the powers and independent position of the Ombudsperson (who deals with national security-related complaints) were not made clear.
What does the future look like for Privacy Shield?
The Commission’s tweaks will address the A29WP’s concerns to some degree, but that mightn’t be enough to keep the privacy wolves at bay.
Privacy Shield may well be subject to a future challenge on the basis of “equivalence” with EU law, and it will almost certainly undergo further A29WP review. Potential issues remain, such as the fact that Privacy Shield (like Safe Harbor) is largely self-certified. Indeed, one of the main privacy advocates in the European Parliament (MEP Jan Philipp Albrecht) commented that the European Commission has “just signed a blank cheque for the transfer of personal data of EU citizens to the US, without delivering equivalent data protection rights”. Max Schrems has said he will challenge it.
In the medium term, inconsistencies between Privacy Shield and the upcoming GDPR requirements could also limit Privacy Shield’s shelf life. Therefore, the climate seems ripe for challenge. Max Schrems has also sought to challenge model clauses in an application by the Irish DPA to the Irish High Court.
Privacy observers will also be keeping an eye on how Brexit plays out: will the UK find itself negotiating its own form of Privacy Shield to ensure EU adequacy?
Even so, Privacy Shield will be a valid solution for transfers to the US. American companies may begin to self-certify with the US Commerce Department from 1 August, and we expect to see many large US vendors taking up this option. Microsoft has concluded on its official blog that the Privacy Shield “meets each of [the] requirements…of… European data protection law”.