Ever since Edward Snowden blew the lid on the extent to which US authorities can mine and bulk collect the data of EU citizens, privacy has become a hot topic. The replacement of the now defunct EU-US Safe Harbour Framework with the heralded EU-US Privacy Shield however, is proving to be positively frosty. Criticism from privacy groups is rife and the European Data Protection Supervisor (EDPS), Giovanni Buttarelli, has now added his concerns on the adequacy of the new proposals.
The Article 31 Committee, which contains representatives from member states, has asked for more time to consider the Privacy Shield. This is in light of concerns raised by the Article 29 Working Party, which is composed of watchdogs from member states, who have heavily criticised the new framework. Criticism has ranged from the Privacy Shield not being able to" withstand future legal scrutiny" to it failing to provide the necessary "oversight, transparency, redress and data protection rights."
The EDPS Opinion published on 30 May 2016 added that “significant improvements” are needed before the European Commission should adopt the adequacy decision. The EDPS considers that the Privacy Shield does not yet adequately include all appropriate safeguards to protect EU citizens' rights to privacy and data protection, nor does it provide them with judicial redress in the US when their data is mishandled by US public authorities.
Both the EU and US are wedded to their prospective ideals. The US seems highly unlikely to relinquish its unfettered access to EU citizens' data under the banner of national security whilst critics in the EU believe that access should be granted only in lieu of the necessary checks and balances. It is likely to be an uphill struggle for the Safe Harbour's successor.
Unsurprisingly, concerns have been raised in relation to exemptions in the Privacy Shield. These allow for bulk collection in the US, which is not subject to necessity and proportionality requirements, as well as for the creation of an independent Privacy Shield Ombudsman which is seemingly toothless in nature. It allegedly lacks the proper mechanisms to exercise and enforce its duties. The Ombudsman is both appointed by and has to report to, the US Secretary of State. Independence in name only, perhaps.
There has, however, been consensus in some areas with the US Office of the Director of National Intelligence agreeing to give written commitments that the personal data of Europeans will not be subject to mass surveillance. There will also be an annual review to ensure the new framework is working for all parties. Nonetheless, judging by the criticism levied at the Privacy Shield in its current form, such promises are considered neither robust nor effective enough.
Ultimately, the Article 31 Commission can choose to drop the proposals entirely (which is unlikely given the current legal limbo that exists for companies), appeal against the outcome of any vote it makes or submit a revised draft. The latter seems most likely. Whatever decision they make cannot come too soon for companies on both sides of the Atlantic who need certainty in handling the data of its consumers.
A decision by the Article 31 Committee is due in June and parties on both sides of the Atlantic will be hoping that the Privacy Shield stands up to scrutiny and is not shot down in flames.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at June 2016. Specific advice should be sought for specific cases. For more information see our terms & conditions.