Privacy Shield will be up for review in September. The date was announced by Vera Jourova, the European commissioner for justice, consumers and gender equality during a visit to Washington DC late last week.
She gave the speech on 31 March to the Center for Strategic and International Studies, a leading geopolitical thinktank. Jourova declared, “In a world where cross-border data flows have become a central feature of global trade, strong data protection rules would be meaningless if the data can travel abroad without protections.”
While Jourova was largely optimistic, noting that nearly 2000 companies have now signed up for Privacy Shield, she told the audience that “we have to ensure that the key foundations of the Privacy Shield remain in place”.
With that, she announced that Privacy Shield's first annual review would commence in September this year: “This will be an important milestone where we need to check that everything is in place and working well.”
Despite Jourova's seeming optimism, the comments were made against a backdrop of uncertainty over the data-sharing agreement.The Privacy Shield framework was created after the decades-old European data protection regime, known as the Safe Harbour Principles, was struck down in EU courts. European Courts of Justice made the landmark 2015 decision after the realities of US surveillance were revealed, and the efficacy of Safe Harbour was challenged by activist Max Schrems.
Although a variety of reassurances have been made by EU and US officials alike – that European data will be largely excluded from US surveillance practices – the framework is still the subject of criticism.
Many privacy advocates, including those within the bodies of European Union, have been especially critical of the framework. The Civil Liberties group within the European Parliament voted last week to call Privacy Shield deficient. In specific contention were weaknesses around objections and judicial remedies that individuals could apply for if their data was abused on the other side of the Atlantic.
The resolution called on European data protection authorities to monitor the functioning of Privacy Shield and to exercise their powers to suspend data transfers “if they consider that the fundamental rights to privacy and the protection of personal data of the Union's data subjects are not ensured”.
The resolution also queried how effective the agreement would be in light of morphing US surveillance practices such as the National Security Agency being granted the ability early this year to share data with other US agencies.
The resolution will be voted on by the whole European Parliament in April.
While the resolution is not a concrete refusal of Privacy Shield, it reflects what appears to be an increasing distrust of the efficacy of the agreement. The agreement has always been criticised as insufficient but the recent legislative agenda under the new US administration has done little to restore faith.
Vera Jourova went to the US Capitol last week to seek ‘reassurances' from the US government that the agreement would be upheld.
She told Bloomberg Technology, “For me it is important to be here in Washington to ask the new administration whether the guarantees which we agreed upon in the so-called Privacy Shield are still in place.”
When asked, as she has previously stated, if she would still pull the Privacy Shield if the correct assurances were not in place, she said she had “positive feelings” and that she had been reassured by representatives from the American Chamber of Commerce and a variety of businesses “that Privacy Shield is fulfilling its main purposes”.
Watchdogs, on the other hand, have concerns, she said, telling Bloomberg that there was a “feeling that there will be more emphasis on ensuring national security which means that privacy would be secondary”.
A number of executive orders in the first few months of the Trump presidency set European anxieties alight. One, in particular, relieved foreign citizens of rights under the Privacy Act and provoked EU privacy advocates to call for its suspension.
Privacy regulation is also being vigorously turned back. The Federal Communications Commission (FCC) recently got rid of requirements that made private companies “adequately protect” their data.
And this week the House of Representatives turned back Obama era regulation that prevented internet service providers from selling a wide variety of personal information without an affirmative permission from their customers.
The material effect of these measures on European data is not clear and some say there is little effect at all, despite how much European data passes across the Atlantic. SC last week spoke to Mark Watts, a partner at Bristow's law firm and an IT specialist, and asked him whether any of these measures directly threaten European data.
European officials are being asked to put a lot of faith in this new administration, said Watts: “They're being asked to accept that Privacy Shield will be properly enforced against companies by the FTC (Federal Trade Commission). That the Department of Commerce will take complaints seriously. That the ombudsman that's supposed to look at national security access to data will do a proper job.“All of these things are being put in place but if they don't actually happen in practice, then they're a bit pointless”.
What would happen if Privacy Shield is suspended, or scrapped altogether after its first review? “Were in a really important moment here”, Alaister Johnson, an associate at Linklater's law firm's TMT practice told SC, noting the discontent with the framework that preexisted even its ratification in the EU: “It's difficult to determine where exactly we will end up”
“We may get to an impasse, whereby the US officials are unwilling give enough to satisfy EU regulators that Privacy Shield remains workable and adequate”
If there were an entire repeal of privacy shield, the EU would have to look to alternative transfer mechanisms to justify the ongoing data transfer.
However, it's unlikely that we'll reach the same kind of situation as was the case after the death of Safe Harbour. Organisations already know that Privacy Shield is on what is essentially a probation period, added Johnson, and will have “model contracts in place as a fall back”.