BEUC NEWS - 05.02.2016

On February 2, the European Commission and US government stitched together a political deal for a ‘Privacy Shield’, replacing the Safe Harbor data transfer agreement which was declared invalid by the European Court of Justice (ECJ) last October.

We are highly sceptical that this ‘shield’ can protect Europeans’ personal data effectively according to the requirements set out by the ECJ in its Schrems vs Facebook ruling. The fundamental differences in protection between the US and EU data protection regimes are too large and remain unchanged.

Hardly anything, except general principles, has been disclosed and there is little to indicate the US will change its approach to data privacy:

1. There is still no independent US authority equivalent to the EU data protection bodies in competence, powers and obligations when it comes to complaint handling.
2. The ‘Privacy Shield’ does not seem – as was the case with Safe Harbor – to be based on anything firmer than company self-certification.
3. Companies who build their business model on amassing personal data cannot be trusted to handle privacy complaints – one of the redress possibilities proposed under this deal.

It is telling that national data protection bodies – when meeting in Brussels this week have been unable to confirm the Commission’s claim that the ‘Privacy Shield’ meets the benchmarks set by the European Union’s highest court and effectively protects European consumers’ personal data.

It will take several weeks until the actual content of the ‘Privacy Shield’ agreement is finalised. In the meantime, consumers, citizens, data protection authorities and the European Parliament are all left in the dark.

It is now time to call the bluff on this poker game in which the US holds all the cards. Data Protection authorities must carry out their duty and start actively investigating whether companies transferring European citizens’ personal data to the US are complying with EU data protection rules.