Privacy Shield: An improved "safe harbor" or 'painting 10 layers of lipstick on a pig'?
13 July 2016
In October 2015 the Court of Justice of the European Union (CJEU) declared Safe Harbor invalid as a framework for the transfer of personal data from the EU to the USA. The CJEU were ruling on a case brought by the internet activist and privacy evangelist Max Schrems in respect of the snooping practices exposed by Edward Snowden, the former security contractor who blew the whistle on the National Security Agency and in doing so raised awareness of the degrees of which personal data is systematically accessed by agencies in the USA.
Following the declaration of Safe Harbor as invalid the EU and the USA politicians and regulators have been working hard to find a substitute for Safe Harbor and have finally approved Privacy Shield as a safe framework for transatlantic personal data flows. This is good news for businesses that use US based cloud and other posted services and is also good for multi-nationals whose personal data moves backwards and forwards between the EU and USA.
Privacy Shield includes commitments by the USA to limit the use of bulk data collection for intelligence and security purposes, requires the appointment of an ombudsman to deal with complaints by EU citizens and provides power to the regulators to fine businesses that do not comply with Privacy Shield.
Whilst Privacy Shield is being signed up to from 1st August by many US corporations, it is still very much on probation. The Article 29 Data Protection Working Party (the Working Party) recently issued its Opinion (WP238) expressing concerns and asking for various clarifications.
Whilst the Working Party commends the European Commission and the US for finally launching Privacy Shield, the Working Party is particularly concerned at “the lack of specific rules on automated decisions and of a general right to object.“ It also is unclear “how the Privacy Shied Principles shall apply to processors.”
In addition to the above concerns the Working Party states in its Opinion that “it would have expected stricter guarantees concerning the independence and the powers of the Ombudsperson mechanism.” With US organisations able to begin certifying compliance to Privacy Shield from 1st August there are now a lot of decisions to be taken as to whether Privacy Shield is more for show than for protection, and with so many international businesses having already opted for the use of Model Clauses or Binding Corporate Rules for data transfers, maybe Privacy Shield will be more hung on the wall than armed for action.
According to privacy activists including Max Schrems, Privacy Shield is still not a perfect solution and indeed Max Schrems has described the EU/US negotiations as ‘putting 10 layers of lipstick on a pig’.