Thousands of European and US companies will have been relieved by the recent announcement that the EU-US Privacy Shield (the framework for regulating transatlantic exchanges of personal data) is secure for another year.
However, it may be premature to rejoice: the EU Commission’s review highlighted two key issues:
- the continued reluctance by the US to institute fundamental safeguards for individuals’ personal data; and
- the imminent need to appoint an independent ombudsman.
Coupled with the impending European court ruling in Schrems II – is the Privacy Shield’s demise only a matter of time?
US National Security vs. European Right to Privacy
The recent review by the EU Commission highlighted that the United States’ stance (both legally and politically) toward the collection of personal data in the interests of national security has not significantly changed since the Privacy Shield’s introduction and no new guarantees have been introduced to safeguard individuals rights.
The Commission noted that the potential impact on and tension with the Privacy Shield from the enactment of the CLOUD Act (obliging US service providers to comply with US orders to disclose data, regardless of its storage location) and the reauthorisation of FISA (the NSA’s warrantless surveillance programme, allowing access to communications of foreigners outside the US).
Fundamentally, this approach of compromising data protection safeguards in the interests of national security was a key reason for the European courts striking down the original EU-US data transfer framework, Safe Habor, in 2015. If the US continues down this path, and the European court follows the principles it set out for striking down Safe Harbor, the Privacy Shield could find itself in dangerous waters.
Ombudsman To The Rescue?
Most notably, despite last year’s recommendation by the Commission, a permanent, independent Privacy Shield ombudsman has yet to be appointed. Its appointment is of fundamental importance to the EU, with the Commission stating “it is meant to compensate for the uncertainty or unlikeliness to seek effective redress before a US court in surveillance matters”. Given the importance of this role, the Commission threatened to take significant action if the ombudsman was not appointed by 28 February 2019.
The Trump Administration has recently declared that it intends to nominate tech entrepreneur, Keith Krach, to the position. Whilst this announcement was welcomed by the Commission, this appointment has yet to be approved by the Senate and the EU has called upon the US “to proceed with the [Senate] hearings swiftly so Mr Krach can assume his duties as soon as possible”.
However, this may not be the “silver bullet” to save the Privacy Shield. The Irish High Court, in its initial Schrems II judgment, stated that the creation of a US ombudsman position would not necessarily eliminate “well founded concerns” regarding the adequacy of protection afforded to the data of EU citizens.
It seems that a significant battle still lies ahead between Brussels and Washington over the Privacy Shield’s future.