The successor to the EU-US arrangement is Privacy Shield, and European regulators have said it will be permitted to run to at least a year without intervention.
Advertisement
What is Privacy Shield? The US is considered to be one such country.
As Compliance Week reported, the European Commission on July 12 adopted a final version of the EU-U.S. Privacy Shield, keeping intact all the main data protection requirements concerning companies that were set out in the proposed framework issued in February.
But the Edward Snowden revelations on the NSA Prism surveillance program prompted many European politicians and private citizens to question whether the Safe Harbor arrangement was actually compatible with EU privacy dictates.
In late May, the Irish Data Protection Commissioner’s office said it wanted the European Court of Justice, the EU’s highest court, to review backup contractual language that Facebook Inc. and thousands of other companies use to justify sending personal information about Europeans to the U.S.
The group criticised the agreement saying: “Regarding bulk collection of personal data, the WP29 notes the commitment of the ODNI not to conduct mass and indiscriminate collection of personal data”.
The idea is to ensure that the $250 billion dollars of transatlantic trade in digital services can continue unhindered, by wrapping assurances from the U.S. about the handling of cross-border data transfers.
It is the first time that the 28 data protection regulators from around Europe commented on Privacy Shield since European Union governments backed the new data sharing agreement in recent weeks. “Last but not least, the Privacy Shield protects fundamental rights and provides for several accessible and affordable redress mechanisms”.
The group says that in terms of commercial aspects, there is a lack of “specific rules on automated decisions and of a general right to object”.
“Importantly, the WP29’s statement makes clear that it believes that this remaining work can be carried out in the context of the Shield’s novel joint review process, which was included to enable the Privacy Shield to be a dynamic framework that evolves over time”. It also said that there is a lack of a concrete assurance on the part of the United States that bulk collection of European data will not take place.
Moving forward, the WP29 noted that the first joint annual review will be “a key moment for the robustness and efficiency of the Privacy Shield mechanism to be further assessed”.
Advertisement
Aaron P Simpson, partner at Hunton & Williams told SCMagazineUK.com: “Today’s announcement from the Article 29 Working Party recognises the good work that has been done by the negotiating parties while simultaneously emphasising that more work remains to fine-tune that balance”. It is anticipated that a lot of data processors, particularly amongst technology and other cloud based businesses, are keen to adopt the solution, so that comment, coupled with the moratorium on a decision rather than endorsement, will not help them build confidence amongst their customer base that this method will give protection in the medium to longer term.
