This week marks a very special anniversary; last year, on the 6th of October, Max Schrems blew up the Safe Harbour Framework. It was the bitter end of the much contested instrument that allowed organizations to send personal data over to the US. The cause of its demise? Well, it was the whistle blown on mass surveillance programmes run by US authorities of course. After all, what would be the point of awarding our personal data with such a high level of protection, if a foreign government freely snoops around in our most private of affairs?
However, the valiant protection of our privacy did not come without a cost. It shouldn’t surprise anyone that international data traffic has become big business. Every second tens of thousands of gigabytes are sent on their way to support economic activities worth hundreds of billions of euro’s (or dollars, depending on which side of the pond you’re on). Think about the countless online purchases made each day, the cloud services we’ve come to embrace or just plain old email communication. Now imagine how cumbersome these services become if, all of a sudden, personal data such as names and (physical or email) adresses are not allowed to enter the US.
That was the case until about two months ago. Since the first of August, US organizations are able to self-certify once again. This time, the EU-US Privacy Shield ought to make data traffic economically viable, while keeping our privacy intact. But, the question needs to be asked: is this brand new framework worth its salt?
The Working Party 29, for one, has already expressed its doubts (for the second time since April). The Party, which combines all of Europe’s privacy watchdogs, acknowledged the improvements compared to Safe Harbor. Nevertheless, it has also indicated a few vulnerabilities that may put the Shield on shaky ground:
- The Party regrets that the rules concerning automated decision making and the general right to object have not survived negotiations.
- It remains unclear how the Shield will apply to data processors, a particularly important point because of the greater emphasis on the processor’s responsibility in the GDPR.
- The Shield grants little assurance that government surveillance will not take place as before.
- The Party questions the independence of the Ombudsperson who whill be appointed by the American government to follow up on complaints of EU individuals.
It is unfortunate that the framework designed to provide a solution for international data traffic is still riddled with uncertainty. Organizations might be hesitant to commit to a system that does not put them on solid ground. It is advisable that these organizations look into alternative means, such as Binding Corporate Rules or Standard Contractual Clauses, in order to strengthen their position.
For the time being, the Working Party will let events run their course. In one year’s time, however, the Privacy Shield will be up for review and we’ll hopefully get a better view on what works and what doesn’t. In particular, the Working Party will take a look at access by public authorities, based on all the information they deem necessary. Nevertheless, in the meantime the Privacy Shield is open to legal challenges and it is by no means unthinkable that the European Court of Justice will strike as it has done before.