Privacy Shield: The Successor to Safe Harbor

After the Safe Harbour judgment (which I wrote about here, here and here), it has been quiet for a little while. In essence, this judgment of the EU Court of Justice made it impossible to transfer personal data from the EU to the USA under the Safe Harbour rules. National privacy regulators in the EU, united in the Article 29 Working Party of the EU, have held off on enforcing this new situation, initially until last February. By doing so, they wanted to give the EU Commission the opportunity to renegotiate the Safe Harbour agreement with the US - something that was in the works already before the Safe Harbour judgment. By February 2nd, the EU Commission had indeed managed to negotiate a new Data Protection deal with the USA, called the Privacy Shield - essentially the sucessor to the defunct Safe Harbour agreement. Following this new agreement, the Article 29 Working Party proceeded to analyze its compliance with the rules set by the EU Court of Justice. On April 13th, the results of this analysis were published, and this entry takes a closer look at that analysis.

First of all, why is this important? Remember that the Safe Harbour agreement was the foremost means by which personal data could be transferred from the EU to the USA, until its demise on October 6th 2015. As I wrote earlier, this means that all such transfers relying on Safe Harbour immediately became illegal and could continue only because of the reluctance opf the national regulators to fully enforce the judgment. As described above, that reluctance of the national regulators revolved around the renegotiation of the Safe Harbour agreement and the compliance of any new arrangement with the EU Court of Justice judgment. Simply put: whether companies can continue transferring personal data to the USA under the Safe Harbour successor now called Privacy Shield, depends in part on whether the Article 29 Working Party considers the Privacy Shield rules to be adequate. If not, then anyone still using Safe Harbour, or planning to use Privacy Shield, for transfers of personal data to the USA could face significant legal problems.

So what does the Article 29 Working Party say about the new Privacy Shield in its analysis? I will focus on two key issues: protection against mass surveillance and adequate access to an independent court for data subjects. Both of these issues were key in the EU Court of Justice's decision to declare Safe Harbour invalid.

  1. Regarding protection against mass surveillance: in the Executive Summary (page 4), in its detailed analysis (section 3.3) and in the Conclusions and Recommendations (section 5.1), the Article 29 Working Party clearly states that mass surveillance by US authorities using data transferred under the Privacy Shield, is still a big concern. The Article 29 Working Party points out that even under the new Privacy Shield, there is still the possibility of mass surveillance by US authorities using data transferred under Privacy Shield, and it is not convinced that this aspect of Privacy Shield is in compliance with EU privacy laws.
  2. Regarding access to an independent court: in the Executive Summary (page 4), in its detailed analysis (section 3.5) and in the Conclusions and Recommendations (section 5.1), the Article 29 Working Party clearly states that it is not convinced that the Privacy Shield offers adequate access to an independent court. The Ombudsman mechanism foreseen in Privacy Shield has - in the opinion of the Working Party - significant significant deficiencies.

In summary: the Article 29 Working Party sees significant deficiencies in the Privacy Shield agreement as the successor to Safe Harbour. This is repeated in the press release of the Working Party accompanying its analysis of Privacy Shield.

What does this mean for those who need to transfer personal data from the EU to the USA, and to practitioners in the field of privacy law? When looking at the analysis and press release of the Article 29 Working Party, one thing is almost glaringly absent: any mention of enforcement. Of course, at this moment in time, transfers under Privacy Shield are not yet allowed anyway, because the necessary EU Commission Decision has not been formalized yet. Given the objections of the Article 29 Working Party, it is also not clear whether future data transfers under Privacy Shield will actually be allowed by privacy regulators, or whether such transfers will be considered illegal. The same applies to transfers still taking place under Safe Harbour: it is unclear whether the moratorium on enforcement regarding such transfers is still in place. So, for the time being, the advice is: do not rely on Safe Harbour or on Privacy Shield to legally transfer personal data to the USA.

Will the new Privacy Shield agreement be useable in the future? I have no doubt that there are many companies and organizations that intend or even need to rely on Privacy Shield for their operations. Many of these will have relied on Safe Harbour in the past (or are perhaps still doing so), others cannot or will not use the alternate means of legally transferring personal data to the USA (most notably: the EU Standard Contractual Clauses). However, given the significant concerns expressed by the Article 29 Working Party, I really doubt that Privacy Shield will in the long run be considered acceptable. Anyone planning to rely on Privacy Shield for their data operations faces two risks:

  • The Working Party has not accepted Privacy Shield as adequate. This means that there is a risk that individual privacy regulators in EU countries are going to disallow any transfers under Privacy Shield, once it has been formalized. The Safe Harbour judgment explicitly gives them that power.
  • It is probably unavoidable that the Privacy Shield agreement, once formalized, will be reviewed by the EU Court of Justice. After the analysis of the Article 29 Working Party and its significant concerns, I cannot see how the Court would accept Privacy Shield as being compliant with EU law and the Court's standing jurisprudence, at least not in its current form. In other words: even if Privacy Shield is put in place now, there is a significant risk that in a few years it will be declared invalid, just like Safe Harbour.

My recommendation: avoid relying on Privacy Shield (or Safe Harbour, for that matter) for any kind of operation involving the transfer of personal data to the USA. If such a transfer cannot be avoided, use the EU Standard Contractual Clauses instead.



Dr. Martin Beckmann

© 2013 - 2016 Adviesbureau Beckmann B.V., Eurode-Park 1 - 62, 6461 KB Kerkrade, The Netherlands
KvK / Dutch Chamber of Commerce: 53767373 | Statutaire Zetel / Registered Office: Heerlen
BTW nummer / VAT ID: NL 8510.09.323.B.01
Data Center picture © Gregory Maxwell, distributed under the GNU Free Documentation License v1.2
All other pictures © Dr. Martin Beckmann LLM

We use the WURFL software to provide optimal rendering of this website on mobile devices.
As per the Wurlf license conditions, this software can be downloaded here.