EU-US Privacy Shield Heads Into First Annual Review

The controversial EU-US Privacy Shield data sharing pact is to undergo its first annual review this week, with IT and business groups highlighting its strengths, while the European Commission takes a more cautious approach.

The arangement was brought into force on 12 July last year after the European Court of Justice, the EU’s top court, struck down its predecessor, known as ‘Safe Harbour’, amidst concerns over European data being monitored under the US government’s mass surveillance programmes.

US-EU data transfer

Privacy Shield seeks to ensure privacy protections by giving EU citizens stronger means of seeking redress in disputes, including a privacy ombudsman within the US State Department assigned the task of dealing with EU complaints.

One of the EU’s current issues with the deal, however, is the new US presidential administration’s failure to appoint an ombudsman, something EU justice commissioner Vera Jourova said she would address in a trip to the US on Monday and Tuesday.

Jourova is scheduled to meet with US commerce secretary Wilbur Ross in Washington, DC, before travelling to Silicon Valley to meet with IT companies such as Google and Facebook who are using Privacy Shield.

More than 2,400 firms have signed up to the deal, which allows them to transfer Europeans’ data out of the bloc without the need for costly bespoke contracts.

“The agreement improves privacy protections and ensures that data can continue to flow across the Atlantic, supporting the EU-US trillion-euro trade relationship, by far the largest in the world,” stated Victoria Espinel, president and chief executive of The Software Alliance (BSA), which was founded by Microsoft in the 1980s and represents firms such as Apple and IBM.

“Almost every type of transaction today has both a digital and international component and therefore relies on the unhindered and uninterrupted flow of data.”

‘Strength of the American promise’

The White House issued a statement saying the review would demonstrate the “value and integrity” of Privacy Shield.

“We firmly believe that the upcoming review will demonstrate the strength of the American promise to protect the personal data of citizens on both sides of the Atlantic,” the White House stated.

Jourova has been more circumspect, telling various press outlets over the weekend she expects her fact-finding mission to identify some problems and make some proposals for improvement, although she doesn’t expect negotiations will be reopened. The Commission is to produce a report based on Jourova’s review next month.

She said the Commission is, amongst other things, trying to determine how many requests for Europeans’ data has been requested by US security services over the past year.

MEPs initially rejected Privacy Shield in a non-binding vote and it is currently subject to two legal challenges, while European data protection authorities have also expressed doubts over its effectiveness.

US policy concerns

In May 2016 Giovanni Buttarelli, the European data protection supervisor (EDPS), said in an official opinion he didn’t believe Privacy Sheild was robust enough to stand up under future legal scrutiny, particularly with EU data protection rules due to be tightened under the General Data Protection Regulation (GDPR) coming into force in May 2018.

“It’s time to develop a longer-term solution in the transatlantic dialogue,” Buttarelli said at the time.

In January the Information Commissioner’s Office (ICO) and EU data protection regulators said efforts by the new US administration to roll back data privacy regulations didn’t immediately affect Privacy Shield, but they said the actions raised concern over future US policies.

How well do you know the cloud? Try our quiz!