14 Apr 2016
Privacy Shield: Not Quite There Yet
14 Apr 2016
The Article 29 Data Protection Working Party, a panel of EU privacy watchdogs, met on 12th and 13th April to discuss Privacy Shield, the new scheme for data transfers between the US and the European Union. The result of their debates show that the issue isn’t quite resolved yet.
The Story So Far
Last October, the European Court of Justice (ECJ) struck down Safe Harbor, the data transfer pact used by US companies for 15 years. The European Commission and the US commerce department came up with a new text in February. The Privacy Shield agreement was meant to bring a new framework for cross-atlantic data transfers.
Although the European Commission had stated on its release that Privacy Shield was “a strong framework” that would “protect the fundamental rights of Europeans when their personal data is transferred to U.S. companies”, the Article 29 Working Party (also referred to as WP29) had saved their judgement until they could have a deeper look at the text.
Companies who had been relying on Safe Harbor -there are at least 4000 of them– have been eagerly waiting to hear more about the new agreement, in order to know if they can move forward with it and leave the legal grey zone that the invalidation of Safe Harbor has left them in.
What Do European Privacy Watchdogs Say About Privacy Shield?
Back in February, the Article 29 Working Party warned that it would take them two months to fully examine the agreement in order to give their opinion on it. The group met for two days, on the 12th and 13th April, before giving their official assessment.
Basically, on the one hand, the WP29 acknowledges a “great improvement” when comparing Privacy Shield to Safe Harbor, especially on the commercial side: efforts have been made in order to define and give a better framework for personal data transfers.
But, on the other hand, they raised a number of significant “concerns”, including:
- The agreement itself is far too complex.
- There are no safeguards to protect EU citizens from potential bulk data collection carried out by US mass surveillance programs, which means the agreement falls short of legal European standards;
- European citizens willing to appeal for the misuse of their private data will be faced with complex legal mechanisms to do so.
- There are not enough guarantees in the status of the ombudsperson to ensure that this figure will indeed remain an independent authority.
What’s Next, Then?
The Article 29 Working Party requested further clarifications on the Privacy Shield agreement. In any case, the text is still under work, and it may take several months to get the final version, which is not expected to be finalised before end of June. The European Commission will have the last word.
Although the Article 29 Working Party’s judgement is not legally binding, it will influence future decision-making on the topic and raise further concerns, leading to more confusion for companies who have already been dealing with uncertainty since the invalidation of Safe Harbor.
The European Commission is supposed to take advice from the Article 29 Working Party, but also from a committee composed of representatives of the Member States. However, experts believe it is unlikely that the European Commission will change its support to the agreement as it is and go back to drafting a completely new treaty with the US.
For now, all companies can do is sit and wait. We will be watching the matter closely and we will keep you updated, as we have done it in the past weeks. In the meantime, rest assured: if you are a Mailjet user, you don’t have to worry about your or your customers’ data privacy status, as our servers are all based in Europe and we comply with all EU data privacy regulation.