Last week the European Union and the United States have come to an agreement regarding the transfer of data between Europe and the US. The agreement, named Privacy Shield, is offered as a substitution for the former Safe Harbor agreement, which has been nullified last October by the European Court of Justice (ECJ).
One of the many reasons to nullify Safe Harbor is due to the fact this agreement could not protect European citizens against the American government agencies (e.g. NSA). For more elaboration on this matter I would refer to the article ECJ states ‘Safe Harbor is invalid’ – How to act written by my colleague Edwin Sturrus.
What does the Privacy Shield offer?
The new Privacy Shield aims to comply with the conditions outlined by the ECJ, when it declared Safe Harbor invalid. It offers a mechanism in which the Federal Trade Commission and the U.S. Department of Commerce will get greater mandate and oversight. The European Commission (EC) will monitor more stringent on compliance by the American companies to the new Privacy Shield rules. In addition, an independent “Ombudsman” will be appointed, which will handle complaints from European citizens regarding the misuse of their personal data by US companies and government. Lastly, the US assures the agreement will also be binding for the US government (including NSA) by offering letters that are signed by the highest political level.
What are the concerns regarding the Privacy Shield?
To begin with, the exact details of the agreement have not been published yet. Hence, one is not able to evaluate the judicial grounds of the Privacy Shield. Once the details of the agreement are published, KPMG will provide more elucidation on the judicial grounds.
We strongly agree with the need for an independent entity to be installed, for example in the form of an Ombudsman or any other independent body, which will handle complaints from EU citizens. However, such an Ombudsman is not a Judge and the legal status of such an independent entity in the US is still unclear.
The EC will receive written assurances from the Obama administration which states the US government will discontinue mass surveillance on EU citizens. The legal status of such assurances are unclear (will it be a written letter or an actual law?), and additionally the Obama administration will come to its end at the beginning of next year. The question is whether these written assurances are still valid at that point in time with a new administration in office.
All 28 member states of the European Union and their local Data Protection Authorities, including the Dutch “Autoriteit Persoonsgegevens”, need to evaluate the details of the agreement before it can be ratified. This will probably take some time, which is an understatement.
The EC is considered as the gatekeeper of all E-agreements within and beyond the European Union. As we all know, a significant number of EU citizens are rather skeptical about Brussels impact in general with respect to this topic. If it turns out that the EC has agreed with the US on an agreement, which does not fully respect the core privacy values of its citizens, one can imagine this won’t do any good to the reputation of the EC.
Is the Privacy Shield really the solution?
The EC has presented the Privacy Shield as the solution for all the problems of its predecessor. Yet as stated earlier, the details of this agreement have not yet been shared with the public. The deadline for the EC to issue a new agreement was February the 1st this year. By presenting this agreement the EC has fulfilled the deadline. However, question remains whether the agreement is viable and robust enough in order to comply with all requirements of all the 28 EU member states. If we already have a lot of critical notes on the very high level, general outline we currently have of this agreement, the details need to be quite strong to be convincing. The Privacy Shield could be a way to stifle the European discontent. For the time being we suggest organizations to cover and maintain their data protection in Binding Corporate Rules (BCRs) and Standard Contractual Clauses (SCCs). Even though there are some serious questions regarding the effectiveness of BCRs and SCCs, it is currently the best way to go for European organizations who definitely need to share their data with American companies.
Author: Ali Ougajou, Senior Consultant