The COM(2016) 117 document issued today by the Commission clarifies the EU U.S. Privacy Shield agreed on February 2. Its first part reads like an advertising brochure for the new Regulation (GDPR) which is not issued yet and will take another two years to become effective. Its current relevance to the demised Safe Harbour agreement is not at all clear. It seems more of an attempt to emphasise how serious the Commission’s commitment to privacy protection is. But as often, the chain is as strong as its weakest link, and the U.S. intelligence agencies have proven to be that weakest link.
The Commission lists the following changes in the EU U.S. Privacy Shield compared to the original Safe Harbour agreement:
- Stronger obligations. We know these from the Regulation, but strong obligations without enforcement are dead meat. These obligations should include stricter liability for companies adhering to the Shield.
- Stronger enforcement. The U.S. Department of Commerce promises ‘rigorous monitoring’ and enforcement will be taken care of the Federal Trade Commission with, according to the Commission, ‘severe sanctions’.
- Limitation of Government access. Yes, limitation, not barring of government access: “access by public authorities for law enforcement, national security and other public interest purposes will be subject to clear limitations, safeguards and oversight mechanisms”. EU data subjects’ complaints will be handled by a special U.S. ombudsman.
- Accessible dispute resolution. EU citizens should get access to free alternative dispute resolution. The Commission mentions other ways of redress, but does not name them. Processing HR data is under direct jurisdiction of the European DPA, but this concerns only HR data – for other types of personal data subjection to an EU DPA is voluntary.
- An annual joint review which is claimed to be “not a formalistic exercise without consequences” as under circumstances “the Commission will activate the process to suspend the Privacy Shield”.
Can you safely use the EU U.S. Privacy Shield for your intercontinental data transfers? Not yet. Both the ‘comitology’ procedure and the vision of the European Data Protection Supervisor have to be waited for. How realistic is it to suppose that the Shield will provide EU citizens with the kind of protection that the Schrems decision asked for regarding public authorities’ access to personal data and effective and (thus) enforceable data protection rights? It is completely unrealistic to assume that the Commission will at some point close down Google, Facebook and the like. However, the type of sanctions foreseen in the GDPR might do the trick. If money starts to talk, compliance may not be imminent, but will be taken more seriously.