Max Schrems, the Austrian privacy campaigner, has stated that the newly-passed Privacy Shield will likely fail. The new agreement between the U.S. and the EU that allows for legally-protected data transfers was officially passed last Friday and is expected to be formally announced this week. It replaces Safe Harbor, which was ruled invalid last October by the European Court of Justice.
The documents that form the latest incarnation of Privacy Shield are an updated version of an earlier draft which was released earlier this year. After its publication in February, the initial draft was rejected by the Article 29 Working Party and the European Parliament, preventing its ultimate implementation. Critics have argued that the new version is almost an exact replica of the older one, albeit with a few minor tweaks. The main changes are to be found in the Draft Commission Implementing Decision Regarding the Adequacy of the Protection provided by the EU-U.S. Privacy Shield (the Decision).
Among the significant changes, what stands out is that the agreement will be enforced in the U.S. by the Federal Trade Commission and the Department of Transportation. Such enforcement is crucial for an agreement which will be based on a system of self-certification by which participating organisations commit to the Principles inherent in the document.
The Decision also confirms that, in addition to the 27 EU Member States, the agreement applies to the transfer of personal data from Iceland, Liechtenstein and Norway (known as the European Economic Area, or EEA). Moreover, the Decision clarifies that certified companies must include a provision in onward transfer contracts mandating all recipients of personal data to notify the Privacy Shield-certified company if the same recipient can no longer provide the same level of protection as required by the Privacy Shield Principles.
The updated Decision clarifies that Privacy Shield will apply solely to the processing of personal data by U.S. organisations in so far as the processing by such organisations does not fall within the scope of EU law. It must be noted that, as of May 25th 2018, a U.S. company which processes personal data of EEA residents and whose activities fall within the scope of Article 3 the General Data Protection Regulation (GDPR) cannot assume that its self-certification under Privacy Shield will be enough to demonstrate compliance with any and all provisions of the GDPR that apply to its operations. Article 3 of the GDPR clearly states that the activities of a data controller that is not established within the EU fall within the scope of the Regulation whenever their processing activities involve the offering of goods or services to individuals in the EU.
Ultimately, the new agreement has been divisive. Max Schrems told Fortune that he does not expect it will last long. “It’s the same as Safe Harbor with a couple of additions, and it’s going to fail like the one before,” he said. Mr Schrems, together with EU Green MEP, Jan Phillippe Albrecht also stated that the “rules concerning personal data in the public sector are equally worrisome. In its Safe Harbour ruling, the European Court of Justice strongly criticised mass-surveillance laws in the US, which have not changed in the meantime. While US citizens enjoy certain protection against surveillance measures, “non-US persons” are specifically exempted. Not only does the final Privacy Shield use the exact same wording on mass surveillance laws as Safe Harbor, but the US now even admits that it will continue to collect personal data stemming from Europe in bulk.” Vera Jourova, the EU’s Justice Commissioner, however has stated that Privacy Shield rules out “indiscriminate mass surveillance of European citizens’ data”. Which opinion is correct will ultimately be decided by the Courts in the months and years to come as data protection becomes ever-central to political and socio-economic affairs on both sides of the Atlantic. In the meantime, uncertainty and an absence of much-needed clarity in this sector will prevail.