This morning the European Commission announced they issued the legal texts that will put in place the EU-U.S. Privacy Shield. This highly anticipated announcement comes after the Court of Justice of the European Union (CJEU) invalidated the 15-year-old Safe Harbor framework last October.
The terms outlined in the EU-U.S. Privacy Shield will not come as a surprise to anyone following this decision, as they align closely with the intent outlined by the European Commission earlier this month. The most notable addition was the commitment to establish a redress possibility through an ombudsperson who will be independent of national security services. This official’s role will be dedicated to following up on complaints from individuals in order to ensure relevant laws are being complied with. There is also a clear complaint methodology that requires complaints to be resolved by companies within 45 days.
While this framework is progress, it may not be enough to satisfy the CJEU which will have the final say. For starters, one of the big concerns with Safe Harbor was the lack of oversight and how companies had to self-certify that they were complying. In the new Privacy Shield framework, companies will still have to self-certify that they meet the requirements. And while the commission noted “for the first time, the U.S. government has given the EU written assurance from the Office of the Director of National Intelligence that any access of public authorities for national security purposes will be subject to clear limitations, safeguards, and oversight mechanisms.”, these mechanisms will likely need to be proven to be effective and impartial in order to meet the requirements of the CJEU.
Additionally, in a letter the Director of National Intelligence outlined six situations in which the NSA will be explicitly allowed to use data collected in bulk. This could be problematic for coming to an agreement on the Privacy Shield as the CJEU outlined in its original judgment:
“Legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter.”
Looking forward, the Article 29 Working Party is expected to deliver their opinion to the European Commission on whether the new Privacy Shield framework can pass the CJEU test in March. For more details about the background, best practices and future of transatlantic data privacy and transfer policies, download our more recent white paper;
For more details about the background, best practices and future of transatlantic data privacy and transfer policies, download our more recent white paper: After Safe Harbor: Navigating Unknown Data Privacy Waters.