In a somewhat surprising announcement, the EU reached an agreement on the framework to replace the recently struck down EU/US Safe Harbor. The new framework has been dubbed the “Privacy Shield.” Despite the fanfare around this new framework, digging into the details bears much more realistic fruit.
US/EU POSTURE UPDATE
On its face, both the EU and US appear to be in step on approaching and implementing the new Privacy Shield. The European Commission (“EC”) issued an official EU Press Release supporting the new framework, which was echoed by the U.S. Secretary of Commerce in the official US Press Release and accompanying video.
THE DEVIL IS IN THE DETAILS
Unfortunately, the details on the agreement are remarkably sparse. On the U.S. side, details are non-existent.
Thankfully, the EC included some details in their Press Release as to what we can expect once we are protected by the Privacy Shield:
- Strong obligations for U.S. companies handling Europeans’ personal data, coupled with robust enforcement;
- Clear safeguard and transparency obligations for U.S. government access; and
- Effective protection of EU citizens’ rights with several redress possibilities.
In short, U.S. companies must commit to certain privacy protection requirements and oversight; cease indiscriminate mass surveillance; and give EU citizens a variety of ways to object to improper use of their data.
The most notable advancement here is the U.S. statement that it will cease indiscriminate mass surveillance of EU citizens. This does not mean that the U.S. will not surveil EU citizens for law enforcement and national security purposes, but that when it does so, it will be subject to clear limitations, safeguards and oversight mechanisms.
REALITY CHECK & NEXT STEPS
While the above news is heartening, the EU Press Release makes two things abundantly clear:
- No actual agreement has been reached, rather an agreement to agree; and
- The 28 Data Protection Authorities (“DPAs”) responsible for approving any new agreement are not privy to the details of the new agreement and were perhaps not involved in the negotiations in a meaningful manner.
All of this is this is not to say that an actual framework will not be agreed upon, but given the two years it took to reach an agreement to agree; expectations should be tempered.
Up next, the Commission has mandated that Vice-President Ansip and Commissioner Jourová prepare a draft “adequacy statement” after obtaining “advice” from the Article 29 Working Party (primarily composed of DPAs) for adoption by the College of Commissioners.
Given the recent statements from various DPAs, this process will likely be an uphill battle. In tandem with this effort, the U.S. must push Congress to enact protections and safeguards that will satisfy the EU.
If early signs are any indication, the U.S. may face an easier task with the support of the normally contrarian US Congressional Republicans.
At its core, the two key issues that led to the downfall of Safe Harbor must be addressed: the U.S. must enact and enforce adequate safeguards and the DPAs must agree that those safeguards are adequate.
So, while a new safe harbor may be in sight, we must first navigate the breakwaters before we can breathe easy.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Title image courtesy of ShutterStock