On July 8, European Union member states approved the Trans-Atlantic Privacy Shield data transfer deal, finally paving the way for the pact to be formally approved by EU and U.S. officials on July 12.
The Article 31 committee, which is made up of representatives of each EU member state, held their highly anticipated final vote on the Privacy Shield, which EU and U.S. officials revealed in February, to replace the longstanding safe harbor data transfer deal that was struck down last year by the European Court of Justice.
The Article 31 committee’s approval comes after many months of criticism from various EU bodies of the European Commission’s initial February proposal, including the European Parliament, the Article 29 Working Party, and the European Data Protection Supervisor. The Article 29 Working Party in particular expressed concerns over the February proposal for its lack of a data retention principle and data processing purpose limitation, as well as issues of onward data transfer and EU individuals’ right of redress.
Commenting on the approval of the Privacy Shield, Andrus Ansip, Vice President for the Digital Single Market on the European Commission, and Věra Jourová, European Commissioner for Justice, Consumers and Gender Equality, said in a joint statement:
Today Member States have given their strong support to the EU-U.S. Privacy Shield, the renewed safe framework for transatlantic data flows. This paves the way for the formal adoption of the legal texts and for getting the EU-U.S. Privacy Shield up and running. The EU-U.S. Privacy Shield will ensure a high level of protection for individuals and legal certainty for business. It is fundamentally different from the old ‘Safe Harbour’: It imposes clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice. For the first time, the U.S. has given the EU written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizens’ data. And last but not least the Privacy Shield protects fundamental rights and provides for several accessible and affordable redress mechanisms. During the formal adoption process, the Commission has consulted as broadly as possible taking on board the input of key stakeholders, notably the independent data protection authorities and the European Parliament. Both consumers and companies can have full confidence in the new arrangement, which reflects the requirements of the European Court of Justice. Today’s vote by the Member States is a strong sign of confidence.
We previously wrote here that the need for a new privacy shield came about in light of the Snowden revelations, when an Austrian privacy activist named Max Schrems brought suit against Facebook for its alleged transfer of personal data to the United States’ National Security Agency (NSA), as part of NSA’s PRISM program. Schrems’ “Europe v. Facebook” group filed suit against Facebook in Ireland with the Irish Data Protection Commissioner. On June 18, 2014, the suit before the Irish High Court was referred to the Court of Justice of the European Union (CJEU). The central question of the referral was the legitimacy of the European Union’s granting of “Safe Harbor” status to the United States when it came to the transfer of personal information.
On September 23, 2015, the CJEU found that with respect to the powers of national supervisory authorities, the European Commission may adopt a decision that a third country ensures an adequate level of protection that is binding on all member states and their organs, including national supervisory authorities. However, a European Commission determination, such as the Commission Decision 5000/250 that first found the Safe Harbor “adequate,” does not prevent a national supervisory authority from examining claims lodged by individuals concerning the processing of their personally identifiable information (PII). In fact, “[w]hile the Advocate General (of the CJEU) acknowledges that the national supervisory authorities are legally bound by the Commission decision (on the Safe Harbor) … such a binding effect cannot require complaints to be rejected summarily.” Thus, the CJEU found that the Safe Harbor program was inadequate insofar as it allowed for government interference with individual privacy rights, it failed to give individuals violated a means of redress, and it prevented national supervisory authorities from exercising their powers on behalf of their citizens.
Since then, companies have been eagerly anticipating a new privacy shield as the EU member states and the U.S. engaged in dialogue for months. Today’s announcement marks a significant step towards reaching a final agreement.
Even with the expected approval by the EU and U.S. on July 12, there is very real risk that the Court of Justice may deem the new arrangement invalid as well. Max Schrems, the privacy activist, has already vowed to challenge the new Privacy Shield in EU courts. Therefore, the new Privacy Shield may be short lived once it is enacted.