The EU-U.S. Privacy Shield: what are the next steps?
This blog article was originally published on the TYPES Blog. TYPES is a EU-funded programme under Horizon 2020 whose aim is to support growth in the online advertising industry through trust-enhancing tools and technologies, in the face of the growing popularity of advertising mitigation software such as ad blockers. IAB Europe plays a critical role in this programme, by providing insights and inputs from the digital advertising industry perspective.
In October 2015, the Court of Justice of the European Union (CJEU) declared the Safe Harbour scheme for transferring data from the EU to the U.S. to be invalid. Since then, quite a lot has happened. The Commission had already been in talks for some time before the Court’s decision on how to improve the scheme and make it fit or the modern age – after all, the Safe Harbour adequacy decision was adopted back in 2000, now sixteen years ago.
The big impetus behind the renewal of talks was the revelations by Edward Snowden in 2013 of indiscriminate collection of EU citizens’ personal data by U.S. security authorities. Privacy activist Max Schrems, then still a law student, brought a case against American tech companies in different EU Member States, including one against Facebook in Ireland which eventually made its way to the Court of Justice. At the time, the Commission was already in advanced talks with the US Department of Commerce on renewing the Safe Harbour scheme. Intensive negotiations went on during the months following the October decision by the CJEU, with pressure being put on the Commission by the Article 29 Working Party of national data protection authorities. They announced that they would allow private companies a ‘grace period’ until the end of January 2016 before starting to investigate the legal validity of data transfers to the U.S.
The Commission and the Dept of Commerce finally came to an agreement two days after this deadline, on 2 February. They then published the new, rebranded “Privacy Shield” at the end of February 2016, along with many documents. The Working Party announced it would come to a decision in April, and chose the week of 11 April to publish its Opinion on the Privacy Shield. It wasn’t very positive – there was much criticism of the draft adequacy decision, both in terms of commercial aspects and the supposed ‘assurances’ from the U.S. government about access to data transferred under the scheme.
Sophie in ‘t Veld, MEP for the ALDE Group, shares many of the concerns of the Article 29 Working Party and, with the backing of her group and the S&D group, also plans to put forward a resolution criticising the Commission’s proposed adequacy decision. The Commissioner in charge of the dossier, Věra Jourová (Justice, Consumers and Gender Equality) acknowledged the concerns and said that she hoped to iron them out. However, she also drew attention to the fact that the opinion of the Working Party is not binding. At the same time, the U.S. has indicated that they have no intention to reopen the agreement on any substantive issues.
So what happens now? If in ‘t Veld’s resolution were to pass, it would not be binding on the Commission but nonetheless send a strong political signal from the European Parliament. The Working Party’s opinion is also not binding, but because it is made up of the very data protection authorities which must enforce the Privacy Shield their opinion must be considered seriously. Alleviating their concerns without changing the substance of the adequacy decision, however, does not seem a straightforward task.
With stark criticism from the home camp and a reluctance to change the deal from the U.S. side, Commissioner Jourová is put in the unenviable position of having to come up with a solution. Unless, of course, the committee of national experts on data protection approves the Privacy Shield. They are technically the only piece of the puzzle left for the adoption of the new adequacy decision, and a positive decision from them, which is expected in the month of May or June, would mean a legislative green light for the European Commission.
Until we know what the national experts decide, the crucial question will remain whether the Privacy Shield is, as some have taken to calling it, Schrems-proof. On the one hand, businesses need the legal certainty of an adequacy decision to continue transferring data to the U.S. It is just a simple reality of the modern economy that large amounts of data need to be transferred, which is why businesses want it concluded as soon as possible. The question could reasonably be asked, however, if there is much point to rushing out an adequacy decision that is doomed to be struck down again by the CJEU for invalidity. It would obviously not happen immediately, which means that the negotiators from across the Atlantic will be acting under a new President.
For a more technical piece on the Safe Harbour framework and the CJEU decision, see my previous blog ‘Is a Safer “Safe Harbour” on the Way?’.