The European Commission has formally adopted a new framework for governing personal data transfers between the EU and the U.S., replacing the prior Safe Harbor agreement which was invalidated last fall, and aiming to end nine months of uncertainty.
The EU-US Privacy Shield agreement is another attempt to bridge two distinct legal regimes, aiming to achieve ‘essential equivalence’ of European data protection laws in the US where EU law does not have jurisdiction, while also providing legal certainty for businesses operating in the two regions.
It’s a balancing act that some expert commentators suggest is impossible without substantial reform of US laws.
But in a press conference today the lead negotiators from the two regions spoke from a joint podium to assert that after some two and half years of talks they have delivered “a framework that protects privacy and creates certainty”, as US secretary of commerce Penny Pritzker couched it. She also dubbed it a “milestone for privacy”.
EC commissioner Věra Jourová asserted that the Privacy Shield places stronger obligations on companies in the US to protect EU citizens’ data, noting for example the new ombudsman created to handle European citizens’ complaints to provide “easier redress possibilities”, and lauding the “assurances” secured from the US government that “any access to personal data for law enforcement or national security is limited to what is necessary and proportionate”.
She also took a moment to personally thank Pritzker for helping restore “trust” between the two regions — trust which took a battering after the 2013 Edward Snowden revelations revealed the extent of US mass surveillance programs.
The prior Safe Harbor regime, a self-certification program, was finally felled by a European Court of Justice exactly concerned by the impact of US mass surveillance program on European’s fundamental data protection rights.
But Jourová claimed Privacy Shield is “fundamentally different from Safe Harbor”, while also pointing to a new annual joint review process that she said will “make it easier to solve any problems that could arise”.
Earlier this year a draft version of the Privacy Shield agreement was criticized as not good enough by the influential Article 29 Working Party, made up of heads of EU Member States’ data protection agencies (the group will meet towards the end of this month to assess the final deal in light of their earlier criticisms). The European Parliament also previously expressed concerns.
But Jourová claimed the Commission has taken on board these criticisms, and has worked to make the final text “better and clearer”. She went on to flag up a “strengthened and clarified role” for the ombudsperson; “better” clarification of instances when “bulk collection of data may occur and what distinguishes it from mass surveillance”; and “strengthened and clarified” obligations on companies signing up to the Shield, such as deleting personal data when it is no longer necessary.
The pair faced journalists questions including on the independence of the ombudsperson, the continued challenge of US surveillance programs, and the impact of a related privacy court case ongoing in Ireland.
On the latter they expressed confidence the Shield will stand up to any future court challenge — as Safe Harbor did not.
“We worked closely with the EC to ensure Privacy Shield will withstand court challenges,” said Pritzker. “With new privacy protections in place we are confident the framework will withstand further scrutiny.”
Source : https://techcrunch.com/2016/07/12/eu-us-privacy-shield-now-officially-adopted-but-criticisms-linger/609