With the launch of the EU-US Privacy Shield in August 2016, the European Commission committed itself to review the functioning of the Privacy Shield on an annual basis, and to assess each year whether it remains to provide an adequate level of protection for personal data transferred from the EU to in the US or being remotely viewed by somebody in the US – e.g. for remote support or maintenance reasons – on servers on EU soil. On October 18th, 2017 the European Commission published its first annual review, in which it claims that the Privacy Shield works, but further specifies that the implementation thereof needs to be improved.
“The Privacy Shield is not a document lying in a drawer. It is a living arrangement that both the EU and US must actively monitor to ensure we keep guard over our high data protection standards.” dixit Věra Jourová, the Commissioner for Justice, Consumers and Gender Equality
The Privacy Shield most certainly is not something that is lying in a European drawer, however the US drawer seems to be half shut. Even though the US has undertaken some measures to come in line with the European data protection laws, such as setting up a process for receiving and reviewing certification applications from companies, an effective legal privacy framework for consumers still seems to be missing. And even the (weak) policies that are in place, seem to be inadequately enforced.
The first review is a quite brief report and seems to be focused mainly on the positive effects the Privacy Shield has brought in the past year, and the improvements to be made in the future on the instruments that are already in place. Of course, this can be highlighted by the European Commission, but the report seems to be in denial of all the elements that have not been covered by the Privacy Shield. Amongst others, the review does not (or merely superficially) consider the issues raised by the Committee on Civil Liberties, Justice and Home Affairs (the “LIBE Committee”) earlier this year on the inadequacy of the protection provided by the Privacy Shield, such as the lack of independency of the Ombudsperson from the intelligence community, and consequently the fact that such Ombudsperson constitutes in no event an effective redress mechanism for EU individuals, and the voluntary nature of the certification process, meaning not all US companies must abide by the terms of the EU-US Privacy Shield, and up to today, only 2 400 companies have effectively done so.
Both are essential components of the US commitments made under the Privacy Shield, and must be addressed immediately to ensure compliance with the EU Charter of Fundamental Rights and the new EU General Data Protection Regulation entering into force May 25th, 2018. Only this way the Privacy Shield will be able to serve its purpose, as up till now, bulk collection of personal data for national security purposes by the US government is still possible.
Even though the LIBE Committee and the Article 29 Working Party have strived for a thorough and in-depth examination of all shortcomings and weaknesses of the current Privacy Shield during the first annual review thereof, the European Commission has omitted to do so. Even though they have given thumbs up to the current EU-US Privacy Shield, there is still a lot of work to do and issues to be addressed to make it fully compliant with the GDPR before May 25th, 2018, and to ensure full compliance with the EU Charter of Fundamental Rights. We are, in any case, already looking forward to any further developments in the EU-US Privacy Shield.