Annual review of the Privacy Shield: crisis averted?16-10-2018
On 18 October of this year, the second annual review of the EU-US Privacy Shield will take place. Like last year, the chorus of critical voices has swelled in the past months. A (temporary) suspension of the Privacy Shield even seemed to be in the realm of possibilities, before it was announced that the US had (finally) appointed an Ombudsperson. In the days leading up to the second review, Ovidius revisits the short, tumultuous history of the Privacy Shield.
The Privacy Shield: what is it again?
The Privacy Shield is an agreement between the EU and the US regarding the transfer of personal data. This is not the first bilateral agreement on this topic: between 26 July 2000 and 6 October 2015 the Safe Harbor decision of the European Commission provided a legal basis for the transfer of personal data to American companies. Following a complaint of the -now infamous- Austrian activist Max Schrems, the European Court of Justice declared the Safe Harbor decision invalid on 6 October 2015.
During the months that followed, the EU and the US conducted intensive negotiations for a new framework agreement. With success: on 29 February 2016 the draft text for the Privacy Shield was published. It was seen as a step in the good direction by many, but there was also a lot of critique. The so-called Article 29 Working Party (“WP29”), recently renamed the ‘European Data Protection Board’, the body consisting of all representatives of the data protection authorities of the Member States, identified three major concerns. The European Data Protection Supervisor also predicted that the Privacy Shield would be struck down in the near future. Nevertheless, the European Commission ruled on 12 July 2016 that the Privacy Shield offered adequate safeguards for the protection of personal data (a so-called ‘adequacy decision’). A relief for the many companies who had issues following the collapse of the Safe Harbor decision. Like Safe Harbor, the Privacy Shield works through self-certification: companies become a party to the Privacy Shield by signing up and proving they comply with all requirements.
Read more about the Privacy Shield in our news item of 16 November 2016
Not everyone happy with the Privacy Shield
The Privacy Shield came under fire shortly after the adequacy decision was adopted. In September 2016, the privacy organization Digital Rights Ireland filed a complaint with the General Court of the European Union (“General Court”), requesting it to declare the adequacy decision invalid. However, the General Court ruled on 22 November 2017 that it could not take the claim of Digital Rights Ireland into consideration, as the organization could not be considered a stakeholder. A similar case brought before the General Court by a French organization, is still under consideration.
Read more about the complaints in our news item of 31 October 2016
Even though the revised text of the adequacy decision had addressed some of its concerns, the WP29 remained critical of the agreement. However, the WP29 decided to wait on the results of the first annual review.
First review: we’re not there yet
The first annual review took place on 18 and 19 September 2017 in Washington, D.C. The European Commission concluded in its report that the self-certification mechanism worked in general. Moreover, all necessary facilities to make the Privacy Shield work, were in place. In short: a positive review, although the European Commission also had a few recommendations. In particular, the European Commission pressed for the appointment of a permanent Ombudsman and a better awareness amongst EU citizens with respect to their rights under the Privacy Shield.
Read more about the conclusions of the European Commission in our news item of 19 October 2017
The WP29, who had been critical prior to the evaluation, had a less positive view. In general, it considered the Privacy Shield a step up from Safe Harbor. However, the WP29 still identified huge issues that would have to be addressed either before 25 May 2018 (the day on which the General Data Protection Regulation entered into effect) or at the latest before the next annual review. The WP29 also stated that if this would not have been the case, she would feel obligated to bring a case before the European Court of Justice.
Read more about the conclusions of the WP29 in our news item of 6 December 2017
The pressure is on
Most of the desired measures, however, did not come to be for a long time. On the contrary: in 2018, the ‘Clarifying Lawful Overseas Use of Data Act’ (“Cloud Act”) was adopted, that requires American data providers to hand over personal data of citizens to the American enforcement authorities, even if this personal data is overseas. A special committee of the European Parliament adopted a resolution on 12 June 2018 urging the European Commission to suspend the Privacy Shield if the US were to fail to comply with its obligations under the Privacy Shield on 1 September 2018. Although EU commissioner Vera Jourova emphasized on 4 July 2018 that a suspension was not on the table (yet), the motion of the committee was adopted plenary by the European Parliament on 5 July 2018.
Eventually, Vera Jourova sent a letter on 26 July 2018 to the American secretary of commerce, Wilbur Ross, warning him that the US had three months left to comply with the EU demands. In particular, the US would have to appoint an Ombudsman. Deadline? The second annual review.
US ambassador: US is fully compliant
Last week, the US reacted to the warning issued by the EU. The US ambassador stated that the US is fully compliant with the GDPR; and, in addition, that the US does not want to discuss this any further. The ambassador also announced that the US had appointed an Ombudsperson on 28 September.
Furthermore, on 12 October 2018, it was announced that the American Senate had appointed three new members of the Privacy and Civil Liberties Oversight Board. This body has a significant role in the Privacy Shield mechanism; and for this reason, the outstanding vacancies were considered problematic by -among other- the WP29. It is likely that, with the second annual review around the corner, the US sought to remove one more European criticism.
On 18 October 2018 the second annual review will take place. Wilbur Ross will travel to Brussels to be presented with the findings of the European Commission. What happens then, is hard to predict. Suspension or a unilateral termination of the Privacy Shield could have disastrous consequences for both companies that have certified with the Privacy Shield and companies that do business with them. However, now that the US has appointed an Ombudsperson and filled several vacancies on the Privacy and Civil Liberties Oversight Board, such drastic measures seem to be off the table. It remains to be seen if the EU, like the US, comes to the conclusion that the US is fully compliant with the GDPR.