European Commission set to call time on Privacy Shield

Time has almost run out for EU-US Privacy Shield. It’s highly probable that by 18 October 2018, the European Commission will agree with the European Parliament vote taken in July 2018 to suspend EU-US Privacy Shield, the international data sharing agreement between the US and the European Union.

This won’t come as any surprise within the data privacy community and in many respects has been on the cards since the Facebook and Cambridge Analytica scandal earlier this year that underlined the importance of monitoring mechanisms intended to protect citizens from the misuse of their personal data on an industrial scale.

But it would be wrong to write off Privacy Shield as being a defective mechanism in the way it’s been conceived. The issue goes much deeper as Privacy Shield wasn’t designed to provide exactly the same level of data protection, privacy and security enjoyed by EU citizens under the GDPR.

Instead, the fatal blow on Privacy Shield will be on the evidence that it doesn’t provide effective control over whether self- certified US and EU companies and organizations have actually complied with its provisions.

In a recent opinion piece published by the IAPP, the authors expressed concerns over compatibility issues between Privacy Shield and the GDPR.

“Lack of GDPR compatibility could pose problems between data exporters and data importers. Consider what happens when a breach occurs downstream. There is no breach reporting requirement for the Privacy Shield company to tell the EU-based controller, a GDPR-compliant company, of the breach. Further, if the Privacy Shield company is at fault and the controller penalized by the data protection authority, there is no mechanism to transfer the liability downstream to the company causing it. Clearly, tight contracts between all parties are required,” observed the authors.

In addition, structural changes in the oversight of the mechanism and promised by the US Department of Commerce – including the appointment of an independent Ombudsman to investigate complaints from EU citizens – hasn’t materialised and doesn’t look like being remedied anytime soon.

And all of this takes place against the backdrop of the Trump Administration wanting Federal data protection laws that reverse those passed in the State of California.

Vera Jourova, EU Commissioner for Justice has written to US commerce Secretary Wilbur Ross to demand progress on the US administration’s appointment of senior personnel to oversee Privacy Shield, which had been promised under the Obama administration, but from all accounts this has fallen on deaf ears.

President Trump’s performance at this week’s UN Security Council exposes the divide between the US and the EU given Trump’s view of geo-politics and US national interest at the expense of international co-operation on matters such as data protection – now viewed on Capitol Hill as a restraint on US global business interest rather than addressing an historical imbalance of power where ordinary individuals felt powerless to prevent the exploitation of their personal data at the expense of big business.

The European Data Protection Board (EDPB) now face the biggest test of its short existence and must decide whether to advise the European Commission to throw its weight behind declaring Privacy Shield unworkable and to suspend its operation – in much the same way that led the Court of Justice of the European Union to declare Safe Harbor unworkable back in 2015.

Privacy Shield is used by more than 3,350 US and EU companies for the free transfer of personal data and lawyers on both sides of the Atlantic have been warning clients not to rely on it as a key mechanism and instead look at using Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCRs) as a safer alternative.


Leave a reply