Following the reservations in the opinion from the Article 29 Working Party (WP29) on 13 April 2016 and a resolution of the European Parliament demanding further negotiation on 26 May 2016, the Commission formally adopted the Privacy Shield on 12 July 2016. The formal adoption comes after a positive vote on the Privacy Shield from the article 31 Committee on 8 July 2016. This will enter into force immediately.
The article 31 committee held a number of additional meetings in June 2016 to further understand the implications of the Privacy Shield and whilst a qualified majority of Member States voted to approve the final text, representatives from Austria, Croatia, Slovenia and Bulgaria abstained from voting, having previously raised concerns that the Privacy Shield does not go far enough to protect their citizens’ rights.
Indeed Commissioner Ansip stated “We have approved the new EU-U.S. Privacy Shield today. It will protect the personal data of our people and provide clarity for businesses. We have worked hard with all our partners in Europe and in the US to get this deal right and to have it done as soon as possible. Data flows between our two continents are essential to our society and economy – we now have a robust framework ensuring these transfers take place in the best and safest conditions”.
Until October last year, organisations could transfer personal data to the US under the EU-US Safe Harbor scheme which allowed for self-certification as a proof of compliance with European data protection standards. However, in October 2015 the CJEU found the scheme invalid as it failed to protect EU citizens’ data from mass surveillance by the US government and therefore violated the right to privacy.
Since the October ruling, the Commission has been negotiating with the US on a new framework for data transfers to the US known as the Privacy Shield. The negotiation process has not been smooth and the constant moving deadline for an agreement, has left companies in limbo for some time.
The Privacy Shield imposes inter alia:
- stronger obligations on companies handling data;
- safeguards and more transparency in relation to US government access to EU citizens’ data;
- tightened conditions for onward transfer of data; and
- effective protection of European citizen’s rights including the right of redress.
TechUK, which represents 900 firms in the UK, described Privacy Shield as a “restoring a stable legal footing”. “The coming months will see much discussion on future options for the UK’s data environment in a post-Brexit world, today’s agreement underlines the importance of data flows to transatlantic trade,” said Charlotte Holloway, the group’s associate director of policy. “We urge policymakers to continue to keep front of mind that data and trade go hand in hand in today’s global economy.”
However, criticisms of the Privacy Shield still linger as is shown by the following statement of Joe McNamee, Executive Director of European Digital Rights: “Sadly, for both privacy and for business, this agreement helps nobody at all. We now have to wait until the Court again rules that the deal is illegal and then, maybe, the EU and US can negotiate a credible arrangement that actually respects the law, engenders trust and protects our fundamental rights”