European Commission officially adopts Privacy Shield agreement
The European Commission has officially adopted the Privacy Shield Agreement between the European Union and the US. The deal will take effect immediately and companies will be able to apply for certification from August.
Once Member States have been informed of the Commission’s decision, the final step in the agreement process has been taken, the Commission said in a press release. This means that there is now a replacement for the Safe Harbor arrangement, which was declared invalid by the European Court of Justice in October 2015. The ruling came in response to a case that Austrian Max Schrems had brought against Facebook.
The Privacy Shield is an ‘adequacy decision’, with which the European Commission can record that the protection of personal data in a country outside the EU corresponds to that of the EU itself, in other words that it is ‘essentially equivalent’. The current adequacy decision focuses only on the US and applies to anyone who wishes to transfer personal data to that country.
Part of the agreement is that the US Department of Commerce regularly checks whether participating companies are complying with the rules. Companies can in fact certify themselves under the Privacy Shield, with which they indicate that they adhere to the rules laid down therein. This mechanism was already present in the Safe Harbor arrangement.
In addition, rules have been drawn up for the onward transfer of personal data after it has arrived in the US. The shield also contains rules for the duration for which data can be stored. Mass surveillance indiscriminately should be excluded under the agreement, and the bulk collection of data should only be in very specific cases and as targeted as possible. In addition, citizens can use various methods of dispute resolution if they believe that their data is being misused. One of these methods is through an ombudsman.
Large companies are positive about the Privacy Shield. For example, Google said that “the agreement demonstrates that the US shares important values and can work together to protect privacy.” Microsoft says the shield is “an important achievement for the privacy rights of European citizens and for companies that depend on international data flows.”
In addition to the positive sounds, there is also a lot of criticism of the Privacy Shield. For example, Max Schrems argues that the final text contains many flaws. The final product would arise from pressure from the US and the ICT industry, rather than from reasonable considerations. Moreover, the text would do no good for both users and businesses and only represent a marginal improvement over the Safe Harbor arrangement. Schrems therefore expects that the Privacy Shield will share the fate of that arrangement and that it will probably be declared invalid again by a judge.