E.U.-U.S. Privacy Shield Data Flow Framework Gets Mixed Reviews
Tech associations are encouraging support on both sides of the Atlantic for the recently announced E.U.-U.S. Privacy Shield framework, which replaces the Safe Harbor framework that was ruled invalid last fall. Meanwhile privacy advocates question the privacy protections in the new deal.
Almost four months after a European Court of Justice ruled the E.U.-U.S. Safe Harbor framework invalid, the European Commission and U.S. Commerce Department announced consensus on a new transatlantic data flow framework had been reached. The new E.U.-U.S. Privacy Shield agreement includes strong obligations on companies handling Europeans’ personal data and robust enforcement, clear safeguards and transparency obligations on U.S. government access, and effective protection of E.U. citizens’ rights with several redress possibilities, an E.U. Commission news release said.
News of a deal was celebrated by several organizations, including tech-related associations, as it provided legal certainty that data flows, including social media posts and financial information, can continue. Thousands of U.S. companies were left without a way to transfer data across the Atlantic, without the risk of being penalized by European Data Protection Authorities, after Safe Harbor was struck down last October.
However, civil liberties and privacy advocates questioned the legal standing of the new deal saying it’s a “virtually identical arrangement” to the one ruled invalid following a challenge by Austrian citizen Max Schrems. Schrems sued Facebook for transferring his data to the U.S. where Schrems said the National Security Agency would ignore European privacy laws and collect his data.
Specific details of the Privacy Shield are to be completed within the next two weeks and will be reviewed by the Article 29 Working Party—the association of European Data Protection Commissioners. Once completed, both sides, including the E.U.’s 28 member states, will vote to formally approve it. If approved, the Privacy Shield would likely go into effect by early April.
“For the first time ever, the United States has given the E.U. binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards, and oversight mechanisms,” said E.U. Commissioner for Justice, Consumers, and Gender Equality Věra Jourová. “Also for the first time, E.U. citizens will benefit from redress mechanisms in this area. In the context of the negotiations for this agreement, the U.S. has assured that it does not conduct mass or indiscriminate surveillance of Europeans.” Jourová noted there will be an annual joint review to closely monitor the implementation of these commitments.
Internet Association President and CEO Michael Beckerman urged stakeholders on both sides of the Atlantic to support the agreement, as did the Direct Marketing Association and Software & Information Industry Association. “The significant privacy enhancing concessions reached in the E.U./U.S. Privacy Shield, alongside the recent surveillance reforms implemented by the U.S. and robust enforcement by the U.S. FTC, cannot be overlooked going forward,” said Beckerman.
“This is a major step forward for the 4,000+ American companies who transferred data across the Atlantic under the Safe Harbor,” CompTIA Executive Vice President Elizabeth Hyman said in a statement. “However, there is much work to be done before this new agreement can be put into effect, and we hope the process continues to move forward in this critical time for the future of E.U.-U.S. commerce.”
Given U.S. privacy laws, a point of concern for the European Court of Justice, remain unchanged, Electronic Privacy Information Center President Marc Rotenberg told The New York Times the deal should be rejected. Consumer groups have also threatened to challenge the Privacy Shield by filing complaints with European privacy agencies, the Times reported.