On February 29, 2016 the EU Commissioner for Justice released details about the forthcoming Privacy Shield agreement between the EU and the US. These details suggest that the agreement, the replacement for Safe Harbor, will have more safeguards in place than its predecessor. However, the road to its approval will not be without obstacles, mainly because the documents released on the day of the announcement do not offer reassurances about the end of bulk collection of personal data by the US authorities.
The approval of the new agreement is likely to face obstacles within the EU
Following a promising but generic announcement from the EU Commissioner for Justice early in February 2016, we now have more detail about the Privacy Shield agreement. This is intended to replace the now-defunct Safe Harbor agreement and ensure that the transfer of personal data between the EU and the US remains relatively smooth. However, although the new agreement appears to have more safeguards in place and a long-awaited process of judicial redress for data breaches, only time will tell if the process will be as effective as EU institutions are hoping.
The Privacy Shield must overcome significant hurdles before it becomes valid. The text will have to be approved by a committee representing the 28 EU member states and by the Article 29 Working Party, which groups together EU countries’ Data Protection Authorities. It is by no means certain that these bodies will give their approval without any comment on the text – something that largely depends on the assurance that recent reforms passed in the US on surveillance are effective. Some of the documents released by the EC suggest that bulk collection of personal data by US institutions could still occur in certain circumstances, which is likely to be an obstacle to the approval of the Privacy Shield.
The recent conflict between Apple and the FBI could also play a role in fostering the perception that, despite the formal steps the US has taken with regard to privacy safeguards for non-US citizens, in practice little has changed. Companies can only wait and see how this unfolds and will have to accept that uncertainty over privacy and data transfer rules could remain for some time.
“The French privacy regulator’s move against Facebook shows DPAs will not wait for Privacy Shield,” TE0007-000991 (February 2016)
Data Protection Tracker: 4Q15, TE0007-000955 (December 2015)
Luca Schiavoni, Senior Analyst, Regulation