In their first annual report, the European Commission (EC) has given a positive opinion on the EU – US Privacy Shield.
The Privacy Shield was set up as an ad-hoc measure after the Court of Justice of the EU struck down the Safe Harbor, a similar law that has been deemed inadequate. Since the EU law requires that data from the EU can be transferred only to those countries that provide an adequate level of protections, the Privacy Shield was devised as a way to accomplish that.
It entered into force on 1 August 2016. The US Government has given repeat assurances that the data will be safe from prying eyes of its security agencies. EU citizens must also be able to exercise their rights to deletion with the US companies.
The Commission states in its report that it is satisfied with the protections it offers, including the protections against access by the US public authorities. Currently, over 2400 US companies employ the mechanism.
The EC did suggest a number of recommendations that are supposed to ‘ensure the continued successful functioning of the Privacy Shield’.
It recommends a better monitoring of Privacy Shield-compliant companies by the U.S. Department of Commerce, as the number of companies falsely claiming about their Privacy Shield participation has skyrocketed.
It opines that EU citizens should be made more aware on how to exercise their rights with the US companies. Cross-border cooperation between the institutions should be improved as well.
EU citizens should also be given the protections against US surveillance, as guaranteed by the Presidential Policy Directive 28.
Věra Jourová, the EC Commissioner for Justice, Consumers and Gender Equality commented that “Transatlantic data transfers are essential for our economy, but the fundamental right to data protection must be ensured also when personal data leaves the EU. Our first review shows that the Privacy Shield works well, but there is some room for improving its implementation. The Privacy Shield is not a document lying in a drawer. It’s a living arrangement that both the EU and U.S. must actively monitor to ensure we keep guard over our high data protection standards.”
Critics say the positive assessment is unsurprising. So much of the economy depends on the EU-US data transfers that, despite the obvious and glaring issues with it, the Commission had no real choice but to approve it.
Data transfers between the US and the EU are integral for the economies of both parties. Estimates show that up to 1.3% of the GDP could be lost if the trans-Atlantic transfers broke down.
Given the very exciting times we live in, privacy-wise, things could take a new turn quickly. We have yet to see how the US companies will adopt to the GDPR – and, indeed, whether the Privacy Shield is adequate enough to satisfy the GDPR requirements.