The 12th of July 2016 was a day of celebration for American giants such as Google, Apple, and Microsoft, because the European Commission adopted its adequacy decision declaring the US has established a sufficient level of protection for personal data via the Privacy Shield. US companies of all sizes will be able to once again collect and process European residents’ personal data on the basis of what Max Schrems describes as “Safe Harbor II”[1].
Plaintiff in the European Court of Justice (ECJ) case which invalidated the Safe Harbor last October, Schrems states that the Commission’s decision and the American law do not fully respond to the regulatory deficiencies underlined by the ECJ which include: the American regulatory framework allowing for the mass collect and surveillance of personal data, the lack of effective redress for personal data violations, and the misrepresentation of the consent principle (opt-in) known to European residents. His findings are also shared by European data protections authorities and human rights groups in the US and the EU attesting that the Privacy Shield’s legal certainty resembles that of a house of cards struggling to withstand the slightest breeze caused by a second challenge before the ECJ.
The Procedure
The European Commission is the sole decision-maker in the adequacy decision procedure for third countries and, therefore, is not bound by the opinions of the European Parliament or the Article 29 Working Party “WP29” (the European National Data Protection Authorities). Nevertheless, the Commission decided to submit a “first draft” of the Privacy Shield last February to the European Parliament, the WP29, and the European Data Protection Supervisor for their opinions. All three institutions raised substantial critiques by means of resolutions and formal opinions asking for fundamental changes to ensure the data protection basic principles are not derailed by the economic interests of the Privacy Shield.
In the adequacy decision adopted on July 12th, the Commission states that it took into consideration the opinion of the WP29 and the resolution of the European Parliament. However, when comparing the draft “Annex II Privacy Shield Principles”[2] and the July 7th “Annex II Privacy Shield Principles”[3], the documents are identical. Moreover, every Annex in the Privacy Shield framework, which form the legal basis of the US protection for EU personal data, are identical—meaning nothing changed. This observation thus begs the question: “In what way were any of the critiques and data protection deficiencies raised by the institutions taken into consideration by the Commission[4]?”.
The Decision and Its Consequences
While the Privacy Shield adequacy decision reopens the flood gates for EU-US data transfers, stakeholders on both sides of the Atlantic are cautious about the legal certainty and stability of this legal mechanism. Some of the frequent questions being asked are:
- What does this mean for the Standard Contractual Clauses companies signed?
- A company has a BCR that requires a higher standard for data protection than the Privacy Shield, which does it have to comply to in regards to access by US authorities?
- Should companies really invest in the Privacy Shield, if it will just be struck down again by the ECJ?
[1] https://www.youtube.com/watch?v=swj-Zmgps8I&feature=youtu.be
[2] Annex released on February 29th by the European Commission, last updated June 29th 2016. http://ec.europa.eu/justice/newsroom/data-protection/news/160229_en.htm
[3] Annex released on July 12th by the European Commission, last updated July 12th 2016. http://ec.europa.eu/justice/data-protection/international-transfers/eu-us-privacy-shield/index_en.htm
[4] For more information on these deficiencies, see “Avis des CNIL européennes sur le Privacy Shield : « en progrès, peut mieux faire, il faut poursuivre les efforts” http://www.protection-des-donnees.fr/privacy-shield-en-progres-peu-mieux-faire-il-faut-poursuivre-les-efforts/ ; and “Privacy Shield : un accord radicalement « différent » du Safe harbor ?”, http://www.protection-des-donnees.fr/privacy-shield-un-accord-radicalement-different-du-safe-harbor/
