A key European Union committee with responsibility for privacy determinations today approved the new EU-US Privacy Shield. With that approval, formal adoption by the European Commission is expected next week.
In a press release issued by European Commission Vice President Ansip and Commissioner Jourová, the Commission touted the differences between the new Privacy Shield and the now-defunct Safe Harbor, invalidated by the European Court of Justice in October 2015. These differences include:
- Clear and strong obligations imposed on companies that handle data;
- Written assurances by U.S. authorities that their access to data in the name of law enforcement or national security will be subject to clear limitations, safeguards and oversight mechanisms, and the further promise that EU citizens’ data will not be subject to mass surveillance; and
- Redress mechanisms for European citizens concerned that their privacy rights have been violated.
The support expressed by the European Commission and by some industry groups like Digital Europe is not universal. The Privacy Shield, first announced in February 2016, has been subject to months of criticism for failing to do enough adequately to address the concerns that led to the dismantling of the Safe Harbor. In April, another EU organization, the Article 29 Working Party, expressed its “strong concerns” that the Privacy Shield was unclear and inconsistent, omitted or inadequately substituted key data protection principles, offered overly complex redress mechanisms, failed to give adequate assurance that U.S. authorities would refrain from engaging in “massive and indiscriminate collection of personal data” from the EU, and failed to vest the newly-established Ombudsperson with sufficient independence and power to exercise its duty effectively. The European Parliament echoed these concerns in a May resolution highlighting “deficiencies” it perceived in the Privacy Shield.
The draft Privacy Shield underwent revision in response to these and other concerns raised, but some continue to criticize the agreement. Indeed, just yesterday, Privacy International gave its review based on leaked text that it obtained, contending that the revised document’s length and complexity make it “difficult for anyone to assess what guarantees are provided … and how they would apply in practice.” The group criticized several aspects of the agreement, focusing heavily on a perceived weakness in protections against governmental surveillance.
Against that backdrop, two things are clear:
- Privacy Shield will be adopted; and
- Legal challenges in the European courts are sure to follow.
Beyond that, it is anybody’s guess.