12 July 2016

Privacy Shield: the end of uncertainty for those transferring data?

Today the EU has confirmed the adoption of the re-worked Privacy Shield, after approval was confirmed from all but 4 of the 28 representatives of the EU member states on the Article 31 committee last week.

What is the Privacy Shield?

The Privacy Shield, or as some would know it, Safe Harbour 2.0, is designed to provide certainty for organisations transferring personal data from within the EU to the US. Certainty is required in order to confirm that a data transfer is subject to sufficient measures to adequately protect the individuals whose data is being transferred. This revised approach proved necessary after the ruling, in October 2015, of the Court of Justice of the EU (CJEU) that the original Safe Harbour programme, in place for the preceding 15 years, was not adequately protecting those individuals’ rights.

Will the Privacy Shield provide the necessary certainty?

So, does this adoption of Privacy Shield now give organisations and businesses who transfer data outside the EU and to the US, for example onto servers located in the US, the certainty they need to know that their actions will not be in breach of UK or EU data protection laws? Unfortunately, despite the apparently convoluted path through revisions and committee approvals, the Privacy Shield doesn’t look like it’s going to provide the simple fix that many need to this issue. Several privacy campaigners and interested groups would argue the legal principles raised by the CJEU finding in October 2015 have still not been resolved and therefore Privacy Shield is little more than a sticking plaster.

The issue at stake here really goes to the heart of how businesses adapt to issues of cyber security on a broader and more globally focussed basis. The original allegations raised by the whistle-blower, Edward Snowden, weren’t just focused on how the US security agencies were accessing individuals’ data once it gets to the US, but also how they are contractually obliging US technology companies to share data taken from European customers in contravention of their own national or European rights.

Legal challenges and compliance

Whilst Privacy Shield has been undergoing revisions and committee debates since its hasty inception at the end of 2015, privacy rights campaigners have continued to develop legal actions against those US technology companies in an attempt to get to the bottom of the access to personal data and how to protect individuals’ rights more consistently in a global era. As a result, the Privacy Shield itself seems likely to face further legal challenge in due course.

That’s not to say compliance with the new Privacy Shield can be disregarded, of course. Not least because any reliance on the alternatives such as standard contractual clauses also remain subject to legal challenge in the Irish courts and are at present subject to a referral to the CJEU (as noted in my previous article here). What this really confirms is how much of a watching brief data protection issues need to be for any organisation as the landscape keeps shifting on almost a weekly basis at the moment.