Greetings from Brussels!
On Wednesday, the privacy community tuned in for the much anticipated WP29 opinion on the EU-U.S. Privacy Shield. It has been two months since the EU’s top policymakers agreed to the renewed data sharing agreement with their U.S. counterparts. Isabelle Falque-Pierrotin, France’s data protection ‘Czarina’ and head of the WP29, said at the press conference that the deal was encouraging and positive … but there is still work to do.
The WP29 clearly feels that the exceptions in the proposed Privacy Shield framework that would allow the U.S. to carry out mass surveillance of EU citizens are "not acceptable." The fear remains that American law enforcement and intelligence agencies might gain or retain – seemingly indiscriminate - access to European citizens’ personal information without sufficient safeguards in place.
There was a very transparent message for the European Commission to seek improvements in the deal it has negotiated with the U.S., with a repeated emphasis that it needs to ensure that EU citizens will receive equal privacy protection as guaranteed under EU law when their personal data is exported to America. Falque-Pierrotin said that data protection authorities also had some concerns about the independence and effectiveness of the Privacy Shield ombudsperson, who will deal with complaints from Europeans.
Furthermore, it was remarked that the framework contained no revision mechanism to cope with the wholesale change in European privacy law expected in 2018 with the introduction of the General Data Protection Regulation. On that particular piece of legislation, and in parallel, the GDPR was approved by the European Parliament yesterday, the day following the WP29 press conference. The regulation will enter into force 20 days after its publication in the EU Official Journal. Its provisions will be directly applicable in all member states two years after this date, and member states will have two years to transpose the provisions of the regulation into national law.
In response to the WP29 opinion, Vera Jourová, the European justice commissioner, said in a statement that she would try to incorporate the regulators’ views into the final Privacy Shield pact. She also expressed that she counted on the European DPAs to ensure the Shield works well in practice. For the U.S. side of enforcement, make sure to read the excellent study of Safe Harbor enforcement, as put together by IAPP Westin Fellow Anna Myers, CIPP/US, which offers insight into how Shield might be enforced going forward.
Before making their final decision, expected in June, on whether to proceed with the Privacy Shield framework, the European Commission will wait to hear from another advisory body, namely the Article 31 Committee, which consists of representatives of the Member States; most of its members are thought to be in favor of Privacy Shield. The Article 31 Committee is expected to consider the framework at meetings in late April and May before issuing its opinion.
If we are to believe that the new deal designed to replace Safe Harbor has fallen short of European regulatory expectation, then one can only conclude that businesses operating on both sides of the Atlantic will continue to reach for their aspirin bottles, as legal uncertainty continues. One can realistically imagine that if the EC and the U.S. authorities do not take the WP29 opinion seriously, Privacy Shield is more likely to be challenged in the higher European courts in the near future. Especially if the Max Schrems case is anything to go by.
We could find ourselves back to square one, and, frankly, that would be bordering on the insane given the intercontinental efforts to reach the current deal.
If you want to comment on this post, you need to login.