The European Union has always been known to have a greater degree of data protection than any other entity in the world. Even before the General Data Protection Regulation came into existence, every country within the EU had their own data protection rules in place and every entity doing business with Europe had to abide by them. But personal data is often required for commercial purposes within two nations, and proper regulation is also required to make sure that the data exchanged does not breach privacy in any way.
The Privacy Shield is one such framework between the US and the EU that regulated transatlantic exchanges of personal data for commercial purposes.
However, in the last few weeks, Privacy Shield has been under immense pressure because of the flaws and vulnerabilities that are yet to be ironed out. The pressure is on the US as an EU lawyers’ associations and Members of the European Parliament (MEP) call for the suspension of the deal.
Privacy Shield 101
Before delving deeper into what the controversy is all about, first, let’s take a look at what this US-EU Privacy Shield actually is and does.
It is a framework or a set of guidelines, and one of its primary purposes is to make it easy for US companies to receive personal data from EU entities under the data privacy laws meant for EU citizens. The framework came into effect when the previous framework called the International Safe Harbor Privacy Principles became invalid in 2015.
The Safe Harbor was created in the year 1998 and was meant to prevent organizations within the US or the US, which stored customer data, from accidentally losing or disclosing personal information.
When Safe Harbor was declared invalid in October 2015 by the European Court of Justice, the European Commission and the US started to discuss a new framework to take its place.
In early 2016 both the nations reached an agreement, with the European Commission drafting principles equivalent to the data protection offered by the EU. This was when the EU-US Privacy Shield started to take shape.
The erstwhile Article 29 Data Protection Working Party, an advisory body consisting of the representative of the data protection authority from each EU Member State, (which has now been replaced by the European Data Protection Board (EDPB) under the GDPR) said in April 2016 that although the Privacy Shield offered a number of improvements as compared to the Safe Harbour framework, there were still three main areas of concern regarding deletion and collection of data, and elucidation of the new Ombudsperson mechanism.
A month later, the European Data Protection Supervisor said that the Privacy Shield was not strong enough to pass the test if ever put to scrutiny by the European Court.
The EU-US Privacy Shield was approved in July 2016 by EU Member States representatives, with the European Commission adopting the framework a few days later. The framework went into effect on 12 July 2016.
At the time the Privacy Shield was passed, there were a number of concerns, and the Council of Bars and Law Societies of Europe (CCBE) – representing 32 EU member countries and 13 associate and observer countries – has reiterated the concerns and demanded the deal be suspended.
In a statement, the CCBE said that they call on the European Commission to suspend the Privacy Shield, and allow reimplementation only after the necessary guidelines and safeguards have been put into place. This demand comes at a time when a group MEPs travels to Washington to discuss protection and privacy. This group had previously called for a ban on the Privacy Shield.
Several issues have put the US – EU relationship under strain, including NATO and Russia. At this time, if another data transfer deal collapses, there will be much pressure on both nations because businesses on both sides are dependent on such regulations to be able to exchange data.
The European Parliament has identified several areas in the Privacy Shield in which US authorities have failed to meet their commitments under the agreement, despite the deadline being 25 May 2018, the day the GDPR came into effect.
The US Senate has still not sanctioned the appointment of three members of the Privacy and Civil Liberties Oversight Board (PCLOB), and it is keeping the board from carrying out its work to prevent terrorism and ensure proper protection of privacy and civil liberties.
Another means of oversight, the appointment of the Privacy Shield Ombudsperson, has also not been done yet. The European Parliament also sought an explanation on the powers of the ombudsperson.
Much to Discuss
Aside from Privacy Shield, the group of nine MEPs in Washington will also discuss the Facebook data harvesting scandal, cybersecurity, and counter-terrorism with the representatives from the US Departments of State, Justice, Homeland Security and Commerce, and the Federal Trade Commission.