LegalRegulationSurveillance-IT

EU-US Privacy Shield Passes First Annual Review

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

Relief for Facebook, Google etc as controversial data sharing agreement with the US passes its first test

European officials have given the green light to the EU-US Privacy Shield annual review – the first review under the new US administration of President Donald Trump.

The Privacy Shield was brought into force on Jul\y 12 last year after the European Court of Justice, the EU’s top court, struck down its predecessor in October 2015.

That previous agreement, known as ‘Safe Harbour’, was cancelled amidst concerns over European data being monitored under the US government’s mass surveillance programmes.

NSAeagle_circle_big

Green Light

The Privacy Shield pact seeks to ensure privacy protections by giving EU citizens stronger means of seeking redress in disputes, including a privacy ombudsman within the US State Department assigned the task of dealing with EU complaints.

But one of the EU’s current issues with the deal heading into the annual review, was the new US presidential administration’s failure to appoint an ombudsman.

The review of the agreement was carried out last month, and EU executive said it was satisfied that the framework continues to ensure adequate protection for Europeans’ personal data.

More than 2,400 firms have signed up to the deal, which allows them to transfer Europeans’ data out of the European Union without the need for costly bespoke contracts.

But European officials said there was room for improvements to be made, most notably in the way it works and the strengthening of privacy protections contained in a controversial portion of the U.S. Foreign Intelligence Surveillance Act (FISA).

“The Commission stands strongly behind the Privacy Shield arrangement with the US,” said Andrus Ansip, Commission Vice-President for the Digital Single Market in a statement.

“Making international data transfers sound, safe and secure benefits certified companies and European consumers and businesses, including EU SMEs. This first annual review demonstrates our commitment to create a strong certification scheme with dynamic oversight work.”

“Transatlantic data transfers are essential for our economy, but the fundamental right to data protection must be ensured also when personal data leaves the EU,” said Věra Jourová, Commissioner for Justice, Consumers and Gender Equality, but pointed out that improvements were needed.

Improvement Needed

“Our first review shows that the Privacy Shield works well, but there is some room for improving its implementation,” said Jourová.

“The Privacy Shield is not a document lying in a drawer. It’s a living arrangement that both the EU and U.S. must actively monitor to ensure we keep guard over our high data protection standards.”

The European Commission said that overall the Privacy Shield continues to ensure an adequate level of protection for the personal data transferred from the EU to participating companies in the US.

The EU also said that the United States had: “put in place the necessary structures and procedures to ensure the correct functioning of the Privacy Shield, such as new redress possibilities for EU individuals.”

It does however recommend proactive and regular monitoring of companies’ compliance with their Privacy Shield obligations; more awareness-raising for EU individuals about how to exercise their rights under the Privacy Shield; closer cooperation between privacy enforcers; enshrining the protection for non-Americans; and to “appoint as soon as possible a permanent Privacy Shield Ombudsperson”. 

The previous Safe Harbour deal had been in place since 2000, and effectively allowed US firms such as Google and Facebook to collect data on their European users, as long as certain principles around storage and security were upheld.

But it was struck down in 2015 because Facebook and others have (albeit reluctantly) shared the data of EU citizens with American intelligence agencies such as the National Security Agency (NSA), when it requested the data.

Privacy: Where do you store your data?