On 18 October of this year, the second annual review of the EU-US Privacy Shield will take place. Like last year, the chorus of critical voices has swelled in the past months. A (temporary) suspension of the Privacy Shield even seemed to be in the realm of possibilities, before it was announced that the US had (finally) appointed an Ombudsperson. In the days leading up to the second review, Ovidius revisits the short, tumultuous history of the Privacy Shield.
The Privacy Shield: what is it again?
The Privacy Shield is an agreement between the EU and the US regarding the transfer of personal data. This is not the first bilateral agreement on this topic: between 26 July 2000 and 6 October 2015 the Safe Harbor decision of the European Commission provided a legal basis for the transfer of personal data to American companies. Following a complaint of the -now infamous- Austrian activist Max Schrems, the European Court of Justice declared the Safe Harbor decision invalid on 6 October 2015. During the months that followed, the EU and the US conducted intensive negotiations for a new framework agreement. With success: on 29 February 2016 the draft text for the Privacy Shield was published. It was seen as a step in the good direction by many, but there was also a lot of critique. The so-called Article 29 Working Party (“
Read more about the Privacy Shield in our news item of 16 November 2016.
Not everyone happy with the Privacy Shield
The Privacy Shield came under fire shortly after the adequacy decision was adopted. In September 2016, the privacy organization Digital Rights Ireland filed a complaint with the General Court of the European Union (“
Read more about the complaints in our news item of 31 October 2016.
Even though the revised text of the adequacy decision had addressed some of its concerns, the WP29 remained critical of the agreement. However, the WP29 decided to wait on the results of the first annual review.
First review: we’re not there yet
The first annual review took place on 18 and 19 September 2017 in Washington, D.C. The European Commission concluded in its report that the self-certification mechanism worked in general. Moreover, all necessary facilities to make the Privacy Shield work, were in place. In short: a positive review, although the European Commission also had a few recommendations. In particular, the European Commission pressed for the appointment of a permanent Ombudsman and a better awareness amongst EU citizens with respect to their rights under the Privacy Shield.
Read more about the conclusions of the European Commission in our news item of 19 October 2017.
The WP29, who had been critical prior to the evaluation, had a less positive view. In general, it considered the Privacy Shield a step up from Safe Harbor. However, the WP29 still identified huge issues that would have to be addressed either before 25 May 2018 (the day on which the General Data Protection Regulation entered into effect) or at the latest before the next annual review. The WP29 also stated that if this would not have been the case, she would feel obligated to bring a case before the European Court of Justice.
Read more about the conclusions of the WP29 in our news item of 6 December 2017.
The pressure is on
Most of the desired measures, however, did not come to be for a long time. On the contrary: in 2018, the ‘Clarifying Lawful Overseas Use of Data Act’ (“
US ambassador: US is fully compliant
Last week, the US reacted to the warning issued by the EU. The US ambassador stated that the US is fully compliant with the GDPR; and, in addition, that the US does not want to discuss this any further. The ambassador also announced that the US had appointed an
And now?
On 18 October 2018 the second annual review will take place. Wilbur Ross will travel to Brussels to be presented with the findings of the European Commission. What happens then, is hard to predict. Suspension or a unilateral termination of the Privacy Shield could have disastrous consequences for both companies that have certified with the Privacy Shield and companies that do business with them. However, now that the US has appointed an Ombudsperson and filled several vacancies on the Privacy and Civil Liberties Oversight Board, such drastic measures seem to be off the table. It remains to be seen if the EU, like the US, comes to the conclusion that the US is fully compliant with the GDPR.