EU-US “Privacy Shield”: A Partial, Interim Solution

Today the European Commission outlined an EU-US agreement on a framework for transatlantic data flows – the “Privacy Shield”. The agreement is intended to replace the Safe Harbor agreement, struck down by the Court of Justice of the European Union (CJEU) in October 2015. The text of the agreement was not released and is not expected to be released for several weeks.

It aims to ensure “essential equivalence” between the EU and US legal orders, a standard set out in the Court’s judgment. The CJEU will, in due course, determine whether this standard is met, because challenges and complaints will be filed as soon as it is adopted.

“Depending on how the new agreement is implemented, based on today’s announcement, it does seem to provide some improvements on the protection of EU citizens’ personal data when it is transferred to the United States,” said Jens-Henrik Jeppesen, Director of European Affairs for the Center for Democracy & Technology (CDT).

“However, absent reform of US surveillance law, it is highly unlikely that the Privacy Shield agreement will be deemed sufficient by the Court of Justice. The US Congress should move swiftly to reform FISA Section 702 and EU Member States should also narrow their surveillance laws and practices to be more aligned with international human rights norms,” Jeppesen added.

The format and content of the agreement should reflect the legal and constitutional constraints under which it is being negotiated. As CDT has pointed out, the basis for the Court’s ruling was – and remains – concerns with over broad data collection by US authorities, especially as authorized under FISA Section 702. This law, which sunsets at the end of next year, remains unchanged, and neither this agreement, nor any other commercial data privacy compliance scheme, can limit companies’ obligations to disclose data when requested by US law enforcement and national security intelligence agencies.  Changes to this law are required in order to protect the rights of Europeans and others outside the US, and to ensure compliance with the Court’s judgment.

However, with the prospect of European Data Protection Authorities (DPAs) taking enforcement action and possibly suspending data transfers from 1 February, the European Commission and US Government had to produce a short-term solution in the form of an agreement that does not involve adoption of legislation.

Some of the expected measures in the Privacy Shield agreement could help deter over broad use by agencies of the authority granted by Section 702 and the introduction of an Ombudsman institution to handle complaints could provide effective redress for Europeans. Additionally, the agreement outline indicates that US companies will be obliged to commit themselves to public and robust measures governing the receipt, storage, use, and dissemination of personal information they receive from the services they provide in Europe.

“The goal must remain a long-term, sustainable transatlantic consensus on the proper legal framework for law enforcement and national security access to data, as well as strong, transparent commercial privacy practices,” Jeppesen concluded.

Once the actual agreement is publicly released, CDT will provide a more detailed analysis.