Privacy Shield officially adopted by the EU Commission … but American organizations “targeting Europe” might want to consider whether GDPR compliance would make more sense

On July 12, 2016, the European Commission officially approved the Privacy Shield, issuing the decision of adequacy (“Decision”). The Privacy Shield is supposed to provide a safe mechanism to transfer personal data from the EU to the US for those organizations that comply with the framework.  Compared to the Safe Harbor (which the Privacy Shield substitutes) the Privacy Shield contains stronger obligations on U.S. companies, clearer safeguards for data subjects, transparency on U.S. government’s access, and more redress possibilities for EU citizens.

The approval was not a picnic: controversies have surrounded the Privacy Shield since the February 2, 2016 agreement with the US, including serious concerns raised by the WP29, the European Data Protection Supervisor, the Article 31 committee, and the European Parliament. The approval of the Decision was not unanimous (of the 28 EU diplomats, 4 abstained from the vote) and there have already been suggestions the Decision might end soon in front of the European Court of Justice (“ECJ”): indeed, the concerns that caused the ECJ to strike down the Safe Harbor have not been completely solved by the Privacy Shield (see below).

Article 1 of the Decision reads (in part):

 For the purposes of Article 25(2) of Directive 95/46/EC, the United States ensures an adequate level of protection for personal data transferred from the Union to organisations in the United States under the EU-U.S. Privacy Shield.

 Technically the Privacy Shield “is constituted by the Principles issued by the U.S. Department of Commerce on 7 July 2016 as set out in Annex II and the official representations and commitments contained in the documents listed in Annexes I, III to VII.” Article 1(2) of the Decision.

The Decision will be revisited in one year (and then every year thereafter). Article 4(4).

Among the reasons of suspension, amendment, and repeal of the Decision, is evidence of indiscriminate mass surveillance by the U.S. Government:

 [Draft measures to suspend, amend or repeal of the Decision will be presented, where there are indications]

– that the U.S. public authorities do not comply with the representations and commitments contained in the documents annexed to this Decision, including as regards the conditions and limitations for access by U.S. public authorities for law enforcement, national security and other public interest purposes to personal data transferred under the EU-U.S. Privacy Shield. Article 4(6).

       The Decision, notified to the 28 member states, enters into force immediately. As said, however, it might not take long before a challenge to the ECJ is brought.

There are some indications in this sense. The Irish DPA has resolved to ask the Irish High Court to refer a question to the ECJ regarding the Model Clauses, which was one of the alternatives that American organizations, among which Facebook, have been using — after the October 6, 2015 invalidation of the Safe Harbor framework — to transfer data from the EU to the US. The Irish DPA’s basis for the challenge is the continuing “application of US mass surveillance laws”.

We must remember the concern that grounded the invalidation of the Safe Harbor by the ECJ:

 legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter (Maximilian Schrems v. Data Protection Commissioner at 94)

            If the ECJ decides that the Model Clauses mechanism is not compliant with the EU law because of mass surveillance issues, the same could be said of the Privacy Shield.

As I have already written in another blog, a solution (at least for bigger American organizations “targeting Europe”), is to start to look at the General Data Protection Regulation (“GDPR”) and to consider whether it would make more sense to comply with it instead of complying with a mechanism that might soon be challenged. It is worth remembering that – starting from the Spring of 2018 – the organizations, anywhere located, offering goods or services “to … data subjects in the Union” or monitoring their behavior (GDPR Article 3), are bound to comply with the GDPR.

For more information, Francesca Giannoni-Crystal.

 Read here the decision of adequacy (full title: COMMISSION IMPLEMENTING DECISION of 12.7.2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield)

Open PDF