The European Commission has announced via a press release that it has reached an agreement with the United States that will make transatlantic personal data flows possible again. Such a framework was badly needed since the European Court of Justice annulled the legal basis of the safe harbor system which left everyone scratching their head on how EU personal data could still be processed in the US.
Shortly after this judgment negotiations started between the EU and US to find a solution and fill the legal void that was created. These talks have now resulted in the so called EU-US Privacy Shield. Although the text of this framework is not yet made public, the Commission has stated that
- US companies will have to abide “strong obligations” when processing personal data and that they will be enforceable under US law by the Federal Trade Commission;
- The United States has given written assurances that access to personal data by public authorities for law enforcement and national security will be restricted and that mass surveillance is excluded, which will also be monitored;
- EU citizens will have several redress possibilities if they feel their rights have been violated, such as an Alternative Dispute resolution, a new Ombudsperson and the possibility to refer complaints to the Department of Commerce and the Federal Trade Commission.
In the following weeks and months both the EU and US will draft all texts and undertake all measures so this new framework can be put in place. It will then also be clear how this system will actually work.
Of course the Commission beliefs the new framework reflects the requirements set out by the European Court of Justice to declare invalid the safe harbor. However, what strikes us the most at the moment is that in the first place the American cloud has been saved. Thanks to the new arrangement everyone can pretend it is perfectly fine to make use of this cloud, whereas it still remains to be seen to what an extent this is true.
Basically, the problem we are dealing with here is that in the US protection regarding the processing of personal data doesn’t really exist and that EU legislation requires an adequate level of protection. This means the US should create similar legislation than what we have here in Europe. But since that is a bridge too far, they simply created some special rules that apply to EU personal data.
Making such a system work in practice is no easy feat. Why would public authorities for law enforcement and national security not analyse European data when all other data is being analyzed like there’s no tomorrow? Nice to have an Ombudsperson for when it all goes wrong, but what is he going to change about it when push comes to shove? Nothing much is probably the right answer and also it is unclear to which extent the other redress possibilities will be effective. The European Court of Justice has demanded not that such possibilities exist in theory, but that they actually allow the enforcement of privacy rights.
As long as there are enough people willing to believe the EU-US Privacy Shield is a good framework it will give no problems. That is of course until someone does see a problem. It’s not unlikely that we will again be facing a ruling annulling the arrangement.