After more than two years of negotiations with the U.S., the European Commission officially adopted the EU-U.S. Privacy Shield arrangement Tuesday. Appearing together with U.S. Department of Commerce Secretary Penny Pritzker, EU Justice Commissioner Věra Jourová announced the deal earlier today in Brussels.
“Ladies and gentlemen, I am very pleased to announce the European Commission has adopted the decision on the EU-U.S. Privacy Shield,” said Jourová during this morning’s press event. She said the new deal is fundamentally different from the previous Safe Harbor arrangement, notably because of the annual joint review, which will allow the EU to address any issues as they arise.
In her remarks, Pritzker said she was "thrilled" with the new agreement, calling it "a milestone for privacy at a time when the sharing of data is driving growth in every sector, from advanced manufacturing to advertising." She also said the Commerce Department will begin accepting Privacy Shield certifications on August 1.
In its press release announcing the agreement, the European Commission also revealed the final version of the Adequacy decision, the Annexes provided by the U.S. government, a Q&A, a Factsheet, and a Communication informing the European Parliament and the European Council of the Privacy Shield framework. With notification of the EU Member States today, the Commission announced the agreement goes into effect immediately. It also said it will begin working on a short guide for EU citizens in case they want to file a complaint about misuse of their personal data.
In a blog post anticipating the adoption, Microsoft EU Government Affairs Vice President John Frank said it was "an important achievement for privacy rights for citizens across Europe" and for companies that rely on international data flows. "For me, one of the key points in the decision is the annual review clause. This makes the Privacy Shield a living framework. It can evolve over time, adapting to changes in data practices, technology and privacy laws. Our customers, our vast network of partners in Europe and Microsoft itself will all benefit from a stable legal framework, with flexibility built in."
Frank also said Microsoft will begin its procedure for joining Privacy Shield and reemphasized the company's commitment "to cooperate with national Data Protection Authorities across the EU and to comply with their advice regarding any disputes under the Privacy Shield."
Google Head of Global Public Policy Caroline Atkinson also applauded the Privacy Shield adoption, and, she wrote, "we’re also choosing to co-operate with Europe’s Data Protection Authorities on EU-US Privacy Shield inquiries."
But not all parties are happy with the new framework. German Green MEP Jan Philipp Albrecht, who hosted a breakfast meeting with privacy activist Max Schrems, said the European Commission "just signed a blank cheque for the transfer of personal data of EU citizens to the US, without delivering equivalent data protection rights." He also said the agreement will not be in concert with the upcoming General Data Protection Regulation - a regime he helped shepherd through European Parliament. "EU justice commissioner Jourova must now make clear that, once the EU’s new General Data Protection Regulation enter into force in 2018, there will also be a need to revise the Privacy Shield decision," he stated.
Schrems also criticized the deal, saying it will be a losing situation for both citizens and businesses. "This deal is bad for users, which will not enjoy proper privacy protections and bad for businesses, which have to deal with a legally unstable solution," he wrote in a press release.
In an co-authored op-ed for The Irish Times, Albrecht and Schrems predict it will be "highly likely" the new deal will be invalidated by the CJEU.
In an interview with Fortune reporter David Meyer, Schrems said there will not be "a lack of people challenging" the agreement. He suspects the Article 29 Working Party, which plans to review the final deal on July 25, will be first in line, followed by a number of NGOs. “We haven’t really made up our minds so far, but it’s really not a problem to challenge it,” he told Meyer. “There are so many options to kill it.”
In a conference call held Monday by Sidley Austin, attorney Cameron Kerry advised that companies think about still having an alternative transfer mechanism on hand, according to the report.
Though the deal will likely be challenged, for the time being, companies will have a transfer mechanism. The Direct Marketing Association said the deal "ends a long period of uncertainty for marketers and advertisers and signals important support for the role of the responsible data use and transfer in accelerating consumer benefits, economic growth and innovation." The organization also said it will work closely with the Commerce Department to help its members appropriately implement the Shield obligations.
And though there will likely be challenges to the deal, Commerce Secretary Pritzker reemphasized what the deal will mean going forward. "For businesses, the free flow of data makes it possible for a startup in Silicon Valley to hire programmers in the Czech Republic, or a manufacturer in Germany to collaborate with a research lab in Tennessee. For consumers, the free flow of data means that you can take advantage of the latest, most innovative digital products and services, no matter where they originate."
Next up will be the analysis of the deal by the Article 29 Working Party later this month.
Top image: Screen shot from today's Privacy Shield presser.
If you want to comment on this post, you need to login.