EU-US Privacy Shield

The EU-US Privacy Shield is a framework for transatlantic exchanges of personal data for commercial purposes between the European Union and the United States.[1] One of its purposes is to enable US companies to more easily receive personal data from EU entities under EU privacy laws meant to protect European Union citizens.[2] The EU-US Privacy Shield is a replacement for the International Safe Harbor Privacy Principles, which were declared invalid by the European Court of Justice in October 2015.[3]

Background history

In October 2015 the European Court of Justice declared the previous framework called the International Safe Harbor Privacy Principles invalid.[3] Soon after this decision the European Commission and the U.S. Government started talks about a new framework and on 2 February 2016 they reached a political agreement.[1] The European Commission published a draft “adequacy decision”, declaring principles to be equivalent to the protections offered by EU law.[4]

The Article 29 Data Protection Working Party delivered an opinion on April 13, 2016, stating that the Privacy Shield offers major improvements compared to the Safe Harbour decisions, but that three major points of concern still remain. They relate to deletion of data, collection of massive amounts of data, and clarification of the new Ombudsperson mechanism.[5] The European Data Protection Supervisor issued an opinion on 30 May 2016 in which he stated that "the Privacy Shield, as it stands, is not robust enough to withstand future legal scrutiny before the [European] Court".[6]

On 8 July 2016 EU Member States representatives (article 31 committee) approved the final version of the EU-U.S. Privacy Shield, paving the way for the adoption of the decision by the Commission.[7] The European Commission adopted the framework on 12 July 2016 and it went into effect the same day.[8][9]

U.S. President Donald Trump signed an Executive Order entitled "Enhancing Public Safety" which states that U.S. privacy protections will not be extended beyond US citizens or residents:

Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.[10]

The European Commission has stated that:

The US Privacy Act has never offered data protection rights to Europeans. The Commission negotiated two additional instruments to ensure that EU citizens’ data is duly protected when transferred to the US:
  • The EU-US Privacy Shield, which does not rely on the protections under the US Privacy Act.
  • The EU-US Umbrella Agreement, which enters into force on 1 February (2017). To finalise this agreement, the US Congress adopted a new law last year, the US Judicial Redress Act,[11] which extends the benefits of the US Privacy Act to Europeans and gives them access to US courts.”[12]

The Commission said it will “continue to monitor the implementation of both instruments”.[13]

Response

German MEP Jan Philipp Albrecht and campaigner Max Schrems have criticized the new ruling, with the latter predicting that the Commission might be taking a "round-trip to Luxembourg" (where the European Court of Justice is located).[14] EU Commissioner for Consumers, Vera Jourova, expressed confidence that a deal would be reached by the end of February.[15] Many Europeans are demanding a mechanism for individual European citizens to lodge complaints over the use of their data, as well as a transparency scheme to assure that European citizens data does not fall into the hands of U.S intelligence agencies.[16] The Article 29 Working Party has taken up this demand, and stated it will hold back another month until March 2016 to decide on consequences of Commissioner Jourova's new proposal. [17] The European Commission’s Director for Fundamental Rights Paul Nemitz stated at a conference in Brussels in January how the Commission would decide on the "adequacy" of data protection. [18] The Economist newspaper predicts that "once the Commission has issued a beefed-up 'adequacy decision', it will be harder for the ECJ to strike it down".[19] Privacy activist Joe McNamee summed up the situation by noting the Commission has announced agreements prematurely, thus forfeiting its negotiating right.[20] At the same time, the first court challenges in Germany have commenced: the Hamburg data protection authority was during February 2016 preparing to fine three companies for relying on Safe Harbour as the legal basis for their transatlantic data transfers and two other companies were under investigation.[21] From the other side a reaction looks imminent.[22]

Controversy

As of February 2017 the future of the Privacy Shield is contested. One consultant, Matt Allison, predicts that "The EU's citizen-driven, regulated model will swiftly come into conflict with the market forces of the US and the UK." [23] Allison summarizes a new paper in which the European Commission lays out its plans for adequacy decisions and global strategy. [24]

See also

References

  1. 1 2 European Commission - Press release: political agreement on framework
  2. "The new transatlantic data "Privacy Shield"". The Economist. ISSN 0013-0613. Retrieved 2016-03-26.
  3. 1 2 Vera Jourova, "Commissioner Jourová's remarks on Safe Harbour EU Court of Justice judgement before the Committee on Civil Liberties, Justice and Home Affairs (LIBE)", 26 October 2015
  4. "5 things you need to know about the EU-US Privacy Shield agreement". PCWorld. Retrieved 2016-03-26.
  5. Chapter 5 of Opinion 01/2016 on the EU – U.S. Privacy Shield draft adequacy decision, the Article 29 Data Protection Working Party
  6. European Data Protection Supervisor, Privacy Shield: more robust and sustainable solution needed, 30 May 2016
  7. Statement by European Commission Vice-President Ansip and Commissioner Jourová, Adoption by Member States of the EU-U.S. Privacy Shield, 8 July 2016
  8. European Commission - Press release: launch privacy shield
  9. Privacy Shield adequacy decision
  10. Executive Order: Enhancing Public Safety in the Interior of the United States, Section 14, 25 January 2017, accessed 27 March 2017
  11. Public Law 114-126, 24 February 2016
  12. Muncaster, P., Trump Order Sparks Privacy Shield Fears, InfoSecurity Magazine, accessed 27 March 2017
  13. Muncaster, P., Trump Order Sparks Privacy Shield Fears, InfoSecurity Magazine, accessed 27 March 2017
  14. Max Schrems: "EU US Privacy Shield" (Safe Harbor 1.1) "European Commission may be issuing a round-trip to Luxembourg" 16:45 (2nd Feb. 2016), PDF retrieved 3rd Feb. 2016
  15. "Jourová: The new EU-US bridge [INTERVIEW]". New Europe. Retrieved 2016-02-03.
  16. Lomas, Natasha. "EU-US Data Transfers Won’t Be Blocked While Privacy Shield Details Are Hammered Out, Says WP29". TechCrunch. Retrieved 2016-02-03.
  17. Statement on the consequences of the Schrems judgement (2nd Feb. 2016), PDF retrieved 6th Feb. 2016
  18. Bracy, Jedidiah. "New data transfer deal could come by Monday, 2015-01-28". The Privacy Advisor. Retrieved 2016-02-03.
  19. "Charlemagne: "Swords and shields". America and the European Union have reached a deal on data protection, Feb 6th 2016". The Economist. Retrieved 2016-02-08.
  20. "What’s behind the shield? Unspinning the “privacy shield” spin, Feb 2nd 2016". European Digital Rights initiative (EDRi). Retrieved 2016-02-10.
  21. Meyer, David. "Here Comes the Post-Safe Harbor EU Privacy Crackdown, Feb.25, 2016". Fortune Magazine. Retrieved 2016-02-26.
  22. Martin, Alexander J. "US plans intervention in EU vs Facebook case caused by NSA snooping, 13 Jun 2016". Fortune Magazine. Retrieved 2016-06-16.
  23. Allison, Matt. "A Template for Adequacy: EU Pitches for Data Protection Gold Standard, Feb 09, 2017". CircleID. Retrieved 2017-02-14.
  24. "Exchanging and Protecting Personal Data in a Globalised World", 10.1.2017, COM(2017) 7 final". European Commission. Retrieved 2017-02-14.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.