Privacy Shield May Not Be “Schrems-Proof”, But Passage Approved

The European Commission is expected to pass a controversial declaration on the “adequacy of US data protection standards” on 12 July, making transfers of personal data from the European Union to the United States legal once more.

The schedule is available here. [Update: Privacy Shield was approved, and US Commerce Secretary Penny Pritzker and EU Justice, Consumers and Gender Equality Commissioner Věra Jourová announced the new programme.]

The adequacy decision was made possible by the new Privacy Shield Agreement negotiated between the EU and the US and passed by the Article 31 Group of EU member states last week.

Negotiations for Privacy Shield and the new adequacy decision became necessary after the EU Court of Justice invalidated the Safe Harbor Agreement between the two parties, declaring it unconstitutional under EU data protection laws.

EU Commissioner Vera Jourova today at a meeting of the Committee on Civil Liberties, Justice and Home Affairs in Brussels acknowledged that not all member states are happy with the Privacy Shield.

Germany and France filed declarations, Jourova said. Both countries declared while concerned about the effectiveness of protections they wanted to “give it a chance,” but will take a close look at implementation in one year.

Jourova underlined the Privacy Shield includes annual joint reviews and possibly will need to be renegotiated once more when the new EU Data Protection Regulation becomes effective in 2018.

Four more EU member states have abstained from the vote on the Privacy Shield, including Austria, home country of law student and researcher Max Schrems, who had filed the original complaint that resulted in the court verdict against the Safe Harbor data transfers.

During the LIBE committee meeting today (11 July), Jourova heard more warnings that the Privacy Shield will not hold up to another constitutional complaint. “I am afraid it is not Schrems-proof,” Dutch Liberal Sophie In’t Veld said.

Bulk collection of data is still possible, members of the Socialist and Democrat (S&D), the Liberal, the Green and the Left Party groups agreed. Several committee members questioned whether the new ombudsperson, one of several avenues to seek redress redress, has enough independence. US Under Secretary of State Catherine Novelli has been named as Privacy Shield ombudsperson.

As Senior Coordinator for International Information Technology Diplomacy, Novelli also acts as “point of contact for foreign governments that wish to raise concerns regarding US signals intelligence activities.”

Another big question mark, according Juan Fernando Lopez Aguilar (S&D), is that as long as the effectiveness of the privacy protection for EU citizens is dependent on presidential decrees, namely Presidential Policy Directive 28 – instead of binding law passed by Congress – there is a high level of uncertainty.