The Unsolved Puzzle Called Personal Data Protection
On February 2, 2016, the EU Commission and the United States reached an agreement on a new framework with the objective to reestablish the flow of personal data across the Atlantic. One week later, the American Senate passed the Judicial Redress Act that will allow EU citizens to bring their claims before the American courts.
Both texts are part of particular context highlighted by the end of the Safe Harbour Agreement. It essentially promised to protect EU citizens’ personal data if transferred by American companies to the US. The Court of Justice of the European Union invalidated the transatlantic agreement at the end of 2015. The Court considered that the data security level was not insured and its motivation was essentially based on the revelations made by Edward Snowden.
For several months neither the American companies nor the European data protection authorities knew how to deal with the situation and the conflicts it had arisen. Meanwhile, a draft of the future European Data Protection Regulation was revealed and it would empower the citizens to control their personal data.
As a result, the two protagonists agreed to create the Privacy Shield which will serve as a successor of the Safe Harbour Agreement. For the fist time, the US has given the EU the written assurance that the access of public authorities will be restrained by safeguards and oversight mechanisms. In addition, within the agreement, it is planned that in case of conflict or misuse of personal data a dispute resolution mechanism would be put into place. Accordingly, a mediator (ombudsman) will be appointed to try to settle amicably the legal dispute.
The Judicial Redress Act is the other piece of the puzzle. Under the Act, European citizens will have the same judicial redress that Americans do in case their personal data is misused by federal agencies. In other words, law enforcement and intelligent agencies are not allowed to spy on foreigners unless they show just cause—and if authorities step outside of the bounds of that protection, then they have the right to judicial redress. Passage of the act will likely smooth the path for law enforcement to share information during investigations of cybercrime and other illegal activities that cross borders.
Notwithstanding, the two acts are seen by some people as a simple tool that will likely do nothing to increase the protection of the personal information of EU citizens. Moreover, concerning the Privacy Shield Act, it was criticized for its political nature, considered as being part of the Digital Single Market initiative aiming to hamstring US digital mastodons. All it did was extend the gray area where the International corporations, and particularly U.S. technology companies, have been working since the European Court of Justice ruling last year. Subsequently, it is unclear what the possible arbitration costs shouldered by US companies will be and how much power will be given to the US ombudsman overseeing European data complaints.
If nothing else, one fact is clear, governments and companies have to find rapidly a solution because of the increasing awareness of citizens of the importance of the protection of their personal data.
Etudiant en Master II Droit de l’économie numérique, je suis intéressé par les tendances actuelles du numérique et par l’impact que celles-ci ont sur le monde juridique, notamment du point de vue de la propriété intellectuelle.