Is the End of the EU-US Privacy Shield in Sight?

European Union data protection law restricts the transfer of EU-origin personal data to countries outside the European Economic Area unless there is a mechanism in place to ensure an adequate level of protection of the personal data.


In 2000, the European Commission approved the EU-SU Safe Harbor Privacy Principles that allowed many U.S. companies to voluntarily opt into a program that, with a self-certification of certain privacy processes and principles, allowed the companies to receive EU-origin personal data in compliance with EU law. The Safe Harbor provided a relatively easy way to meet the “adequacy” requirements of the EU data protection authorities. Other mechanisms to enable data transfers to the U.S., including binding corporate rules and the use of signed standard contract clauses, impose a significant administrative burden on companies doing regular business in the EU.

In October 2015, the European Court of Justice abruptly invalidated the safe harbor framework based, in part, on the disclosure by Edward Snowden of previously undisclosed surveillance of electronic communications by U.S. intelligence agencies. This decision led to a mad scramble by U.S. companies to find another way to legally receive and process EU-origin personal data.

Nine months later in July 2016, EU member states approved a new framework (EU-US Privacy Shield), with stronger provisions to address the concerns that led to the invalidation of the previous Safe Harbor Principles. To date, over 3,000 US companies have self-certified their acceptance of the requirements of the Privacy Shield.

During the review and negotiations of the Privacy Shield, EU data protection authorities issued an opinionidentifying three areas of concern:
The Privacy Shield does not require organizations to delete personal data when it is no longer needed;
The U.S. government does not “fully exclude the continued collection of massive and indiscriminate data”; and
It was unclear whether the newly appointed Ombudsperson to oversee enforcement of the Privacy Shield has sufficient powers to function effectively.

These concerns were echoed by the European Data Protection Supervisor, whose May 2016 opinionidentified specific changes to provide better assurance that the protection of EU data in the U.S. would meet the requirements of EU law, including the General Data Protection Regulation.

Concerns about the “collection of massive and indiscriminate data” continue. In its first annual review of the Privacy Shield, the European Commission reaffirmed that the Privacy Shield was offering adequate protection, but the Commission made a number of recommendations to improve the protection, including, among others:
Closer monitoring of companies’ compliance with their Privacy Shield obligations by the U.S. Department of Commerce; and
Enshrining the protection for non-Americans offered by Presidential Policy Directive 28 (PPD-28) into the Foreign Intelligence Surveillance Act (FISA).

Since the European Commission’s...

Read The Full Article


0 Comments Write your comment

    1. Loading...