Research

Article - Implementation of the new EU-US Privacy Shield (March 2016)

Related Galexia news

Galexia presenting at CPDP2017 (The Age of Intelligent Machines) Computers, Privacy & Data Protection 10th International Conference, Brussels - 25 January 2017 »
Galexia presenting at the Annual European Data Protection and Privacy Conference, Brussels - 1 December 2016 »
Article in Data Protection Leader - Regulators fight back against privacy fraud - November 2016 »
Galexia chapter in 'Enforcing Privacy' book published (Springer) - April 2016 »
Galexia article about Implementation of the new EU-US Privacy Shield - 21 March 2016 »
Galexia Director speaking at Privacy Law and Business Conference in Cambridge (UK) - 7 July 2015 »
Galexia presents on The Future of the EU-US Safe Harbor at Brussels conference - 1 June 2014 »
Galexia gives evidence about EU/US Safe Harbor privacy framework to the UK House of Lords - 12 March 2014 »
Galexia invited to provide evidence to the European Parliament LIBE Inquiry on Electronic Mass Surveillance of EU Citizens - 7 October 2013 »
Galexia presented at the Privacy Laws & Business 23rd Annual International Conference - 14 April 2010 »
Galexia interviewed by Privacy Laws and Business International Journal on the US Safe Harbor and recent actions by the FTC - 26 February 2010 »
First US Prosecution for false web claim of Safe Harbor status - 11 September 2009 »
New Galexia Study: The US Safe Harbor - Fact or Fiction? - December 2008 »

Related Galexia services and solutions

International, Comparative and Cross-Border Research. Read more »
Specialised Legal and Regulatory Consulting. Read more »
Strategic Privacy Consulting. Read more »

The proposed EU-US Privacy Shield is set to replace the former Safe Harbor as the key mechanism for the transfer of personal data from the European Union to the United States. The draft Privacy Shield adequacy decision by the European Commission is yet to be formalised - the commission must first seek the opinion of the influential Article 29 Working party. However, it is almost certain that the Privacy Shield will be implemented in some form in the near future.

The former Safe Harbor framework was the subject of extensive research and analysis by Galexia, including a major report in 2008[1] followed by ongoing monitoring and the submission of evidence and reports to the EU and US authorities.

How does the proposed Privacy Shield compare to the Safe Harbor?

The starting point for the Privacy Shield is that it has been designed in response to a specific legal decision by the European Court of Justice (Maximilllian Schrems v. Data Protection Commissioner, Court of Justice of the European Union, C-362/14 (2015)). That decision found that the original Safe Harbor adequacy decision (from 2000) was adopted without sufficient limits to the access of personal data and interference by governmental authorities. The court also criticised the absence of a right to any form of dispute resolution or legal redress for European citizens affected by US surveillance.

Although both the Safe Harbor and the Privacy Shield are the result of compromise and negotiation between two very different privacy regimes, the impact of the Schrems case means that the parties have been forced to strengthen the protections and limitations available in the Privacy Shield.

The two big-ticket changes are:

1) the introduction of a right to legal redress for European citizens who wish to challenge the disclosure of their personal data to government authorities in the US (through the Judicial Redress Act), and
2) a suite of limitations, oversight and governance on US national surveillance agencies and their activities.

This combination of specific limitations on surveillance, backed up by a judicial redress procedure, is a significant departure from the vague wording used in the original Safe Harbor agreement.

There are also a number of other crucial changes to the Privacy Shield that have a broader impact outside the surveillance / intelligence space.

There are dozens of changes contained in the complex legal documentation that forms the Privacy Shield. Some of the key highlights are:

The removal of consumer charges (and the threat of charges) for dispute resolution. This removes a significant deterrent to consumer action that affected the Safe Harbor;
A commitment that all consumer complaints will be answered and resolved. This may turn out to be the most significant difference in practice between the Safe Harbor and the Privacy Shield;
Shifting key implementation requirements from voluntary guidelines (which were unenforceable in the Safe Harbor) to mandatory rules;
A commitment to monitor and enforce ‘compliance verification reports’ for the first time. These reports formed part of the Safe Harbor but they were never enforced; and
A commitment to monitor and enforce false claims of Privacy Shield membership.

The replacement of the Safe Harbor agreement with the EU-US Privacy Shield is still subject to some uncertainty. For example, the new limitations and conditions on surveillance may be the subject of further legal challenges in Europe. But the Privacy Shield now contains a process for continual review and improvement through: formal annual performance reviews; regular reviews of the adequacy decision; and a more comprehensive complaints and dispute resolution process. It will be important to learn from the experience of the Safe Harbor and to use these new processes to drive ongoing reform and improvement.

A final decision on the approval of the Privacy Shield is expected to be announced before the end of June 2016.

The draft Adequacy Decision on the EU-US Privacy Shield by the European Commission is available at:
<http://ec.europa.eu/justice/data-protection/files/privacy-shield-adequacy-decision_en.pdf>

Chris Connolly
Galexia, March 2016.

[1] The US Safe Harbor - Fact or Fiction?, December 2008, <http://www.galexia.com/public/research/articles/research_articles-pa08.html>.





	home about us services projects research contact
	» home » research » articles