By:
Gregory P. Bufithis, Esq.
Founder/CEO
30 July 2016 (Milos, Greece)– Europe’s data protection authorities will hold fire for one year on the new Privacy Shield agreement, withholding any potential legal challenges until mid-2017. In a statement by the Article 29 Working Party (WP29) (a fairly influential body in these matters) they noted it was still unhappy with the final text of the agreement — which replaces the previous Safe Harbor agreement between Europe and the United States and covers transatlantic data flows — but that it would wait until the first annual review before putting forward any formal challenges.
The decision will come as a huge relief to US corporations who rely on the agreement for billions of dollars of trade. The group had previously said the draft Privacy Shield agreement was “too complex … and therefore ineffective” and so overall was “not acceptable.” Those criticisms led to changes being made — which the group acknowledges in its letter — but it remains skeptical that they will be sufficient:
“The WP29 commends the Commission and the US authorities for having taken our concerns into consideration in the final version of the Privacy Shield documents. However, a number of these concerns remain.”
Those concerns are largely the same:
1.that the U.S. government will find a way to continue carrying out mass surveillance of European citizens through semantics, the wording of the agreement offering plenty of opportunities
2. that the new Ombudsman role created to look into any complaints is toothless; and
3. that the annual review will be designed in such a way as to be largely useless.
On the critical issue of US government surveillance, it said:
“Regarding bulk collection of personal data, the WP29 notes the commitment of the ODNI not to conduct mass and indiscriminate collection of personal data. Nevertheless, it regrets the lack of concrete assurances that such practice does not take place.”
The first annual review is expected to take place in July 2017 — one year after it was formally signed — and the working party has said it will use that opportunity to “not only assess if the remaining issues have been solved, but also if the safeguards provided under the EU-US Privacy Shield are workable and effective.”
It also warned that it won’t be steamrolled in the lead-up to the review, stating that:
“all members of the joint review team shall have the possibility to directly access all the information necessary for the performance of their review, including elements allowing a proper evaluation of the necessity and proportionality of the collection and access to data transferred by public authorities.”
In other words: don’t think you can fob us off in a year’s time.
Of course as I noted earlier, the agreement is already under legal challenge by the very lawsuit that caused Safe Harbor to be struck down in the first place: Max Schrems’ case against Facebook. But as Schrems indicated earlier this week, his case has also been punted down the road by at least a year. Currently, his case is at the Irish High Court where it is deciding whether to approve a request by the Irish data protection commissioner to ask the European Court of Justice (ECJ) whether Facebook’s contract clauses over data usage are legal.
NOTE: the legal timeline for this latest case has been unusually padded (the first Schrems case moved very fast through the system), meaning that the case will not appear before the ECJ until 2017 at the earliest. And if you think that sounds suspiciously like … ah … collusion??!! … as though the European Union, Irish and American governments have been working together behind the scenes to force a one-year period of calm over the whole affair … well, you’d be right.
But the WP29 has seemingly accepted that compromise, although it made a point to warn the U.S. government in particular that it won’t be backing down come next year. It warns that it will
“proactively and independently assist the data subjects with exercising their rights under the Privacy Shield mechanism, in particular when dealing with complaints.”
And it also noted it would be looking at the Privacy Shield in terms of its
“impact [on] transfer tools such as Binding Corporate Rules and Standard Contractual Clauses.”
Oh, yes. The chest-beating will concern authorities on both sides of the Atlantic, but overall the fact that a showdown has been put off for a further 12 months will be seen as a success … especially by civil servants who spend most of their time trying to ensure conflicts only ever take place in the future.
We hope you are all enjoying your summer.