By Owen Bennett
On 3rd February, the European Commission announced it had reached a political agreement with negotiators from the US Department of Commerce on a new framework for transatlantic data transfers: the EU-US Privacy Shield.
Transatlantic data transfers have been caught in limbo since the European Court of Justice (ECJ) ruled in October 2015 that the previous transfer mechanism – ‘Safe Harbour’ – was null and void owing to mass interception of European users’ data by US intelligence services.
Negotiators from both sides had been working on a replacement for Safe Harbour since 2013, when Edward Snowden exposed the extent of US mass surveillance. However, the ECJ ruling injected a degree of urgency into those negotiations, given the risk that national Data Protection Authorities (DPAs) would suspend data transfers. Naturally, such a move would have catastrophic effects on transatlantic trade and digital consumer services.
But the agreement reached on 3rd February is by no means the end of this political saga. At this point, Privacy Shield is simply a political commitment by the US government to respect several high-level principles around data protection. From this agreement, the European Commission must now draft a so-called ‘Adequacy Decision’ – a legal text attesting to the ‘essential equivalence’ of US data protection rules vis-à-vis those enshrined in EU law. Without such a Decision, most companies would not have the legal basis to transfer data to the US, as there would be no legal guarantee that user data would be protected to EU standards.
The European Commission’s Adequacy Decision is expected to be ready by June 2016, and will contain a detailed elaboration of companies’ privacy obligations, user redress mechanisms, and safeguards against mass surveillance. Interestingly, the Commission’s Decision will be backed up by three letters signed by the “highest levels” of the US Department of Commerce and State Department. The Commission is confident that these signed letters will provide a sufficient legal basis to support the adequacy decision.
Yet the Commission ought not to consider the adoption of the Adequacy Decision an open and closed book. National DPAs have seized on the Safe Harbour episode as an opportunity to flex their political muscle and DPAs from the 28 Member States will publish their verdict on the new Privacy Shield agreement in early April. While not legally-binding on the Commission, a negative Opinion from the so-called Article 29 Working Party would deal a real blow to the Commission’s efforts to push ahead with a new data transfer framework. At the political level of the Commission, DPA endorsement of the new agreement is seen as essential to get it up and running.
And of course, it is almost a certainty that digital rights activists will seek to test the legal standing of the Adequacy Decision in the European Court of Justice once again.
Privately, the Commission is confident that the new agreement meets the criteria set down by the ECJ in the Schrems judgement. But such confidence will not assuage industry fears, with the ongoing legal limbo threatening a great many number of digital business models built on aggregated data processing.
Ultimately, there are many ‘known unknowns’ on the road to restoring legal certainty around transatlantic data transfers. And rather than closing the book on the Safe Harbour crisis, the announcement of Privacy Shield has simply opened a whole new chapter in this remarkable saga.
