For anyone who has been tracking the trials and tribulations of the invalidation of the Safe Harbor agreement, followed by the down-to-the-wire negotiations of the Safe Harbor replacement (the ironically denoted “Privacy Shield”), it probably comes as no surprise that the drama continues.
A little more than two months ago, after “tough” negotiations, the United States and the European Union agreed on a new framework to permit personal data to flow between the EU and U.S. Then, the text of the new Privacy Shield was published by the European Commission along with an initial decision finding the Privacy Shield adequate. It appeared that things were moving along nicely, and the more than 4,400 U.S. companies that relied on the Safe Harbor to transfer data from the EU to the U.S. would have a replacement by perhaps this summer.
Maybe not.
The Article 29 Working Party, a group of EU privacy watchdogs comprised of data protection officials from the 28 EU member states, reviewed the Privacy Shield and found that it has some problems. While the Shield is apparently better than the Safe Harbor, it still needs some improvement. In particular, the Working Party believes the Shield includes overly-complex arrangements on redress for violations of an individual’s privacy rights and also leaves open the possibility that U.S. law enforcement can engage in bulk collection of data. Isabelle Falque-Pierrotin, chairwoman of the Working Party, also noted that the Shield contains no mechanism to account for the comprehensive changes to the EU privacy laws scheduled to take effect in the spring of 2018.
These findings from the Working Party certainly dent the Shield, but they are not binding on the EU Commission, which can still approve it. And, there is still optimism that the Shield ultimately will be approved. There is, however, some risk to doing so without appeasing the Working Party. Specifically, the Working Party could ask the European Court of Justice to rule on the legality of the Shield if it feels that the Commission has not addressed its concerns. Also, if certain EU member states are not happy with the Shield, they could be more aggressive in enforcing their local data protection laws against U.S. companies that rely on the Shield.
So, for now, it’s wait-and-see. And while this is frustrating for many U.S. companies who would like to get started with determining how to certify under the Shield, drama and uncertainty seem to be the norm these days for trans-Atlantic data flows. Hopefully, the Shield is strong enough to survive this latest blow.