Privacy Shield has been in operation for a year, but will it continue?

The first year of functioning of the Privacy Shield programme will soon end. A review of the programme is scheduled for September 2017. It is designed to be a thorough verification of whether the programme meets the hopes pinned on it and effectively ensures adequate protection of personal data by American recipients of data registered for the programme. The review should also determine the future direction for development of the programme and identify areas requiring improvement.

On 12 July 2016 the European Commission adopted a decision confirming that entities operating in the territory of the United States meeting the conditions specified in the Privacy Shield programme would be deemed to ensure adequate protection of personal data from the EU. This means that data can be transferred to such entities without applying other mechanisms for ensuring adequate protection, such as standard contractual clauses or binding corporate rules (read more about the programme here).

The EU–US Privacy Shield Framework was developed by the US Department of Commerce to replace the Safe Harbour programme. So far over 2,000 entities have enrolled in the programme. According to preliminary information, all complaints about data protection infringement by participants in the programmes have been successfully resolved through internal procedures by the participants.

The programme is to be reviewed jointly by the US Department of Commerce and the European Commission, with the involvement of the Federal Trade Commission, data protection authorities, the Article 29 Working Party and other stakeholders involved in the functioning of Privacy Shield. The organisers will undoubtedly consider the opinions on the programme expressed over the last year by European legislators, NGOs and business representatives. It’s hard to predict now what conclusions the review may reach, but the facts mentioned below suggest that the programme will be continued and improved.

First, invalidating the programme would require annulment of the Commission’s decision of 12 July 2016. This could occur pursuant to a challenge to the decision filed with the Court of Justice within two months after publication of the decision in the EU Official Journal. But no EU institution or member state challenged the decision.

Second, despite clear concerns that the Trump administration would place less weight on scrupulous enforcement of Privacy Shield than the Obama administration which prepared and launched it, no changes have occurred in law or practice pointing in that direction. Moreover, the National Security Agency issued a statement on abandonment of surveillance activities outside US borders pursuant to the Foreign Intelligence Surveillance Act.

Although the programme focuses on forwarding of data by private entities, it is the potential access by US security agencies to data transmitted from the EU that is the main concern of the European side. During the development of Privacy Shield US regulations limiting official access to personal data were taken into consideration, and the position of Privacy Shield Ombudsperson was established to field questions and complaints by European citizens concerning access by security services to their personal data; nonetheless, European pressure to raise the protection guarantees has not diminished. It is expected that the conditions for access by US officials to personal data from Europe will be crucial for evaluation and evolution of the programme.

Sylwia Paszek, Data Protection practice, Wardyński & Partners