On 12th July 2016 the European Commission finally adopted the Privacy Shield adequacy decision recognizing a “substantially equivalent level of protection” to European standards defined by the Directive of 1995. It sets a new framework for data transfer between the European Union and the United States.

Privacy-Shield

End of uncertainty after the Safe Harbour

This mechanism, approved by the Member States on 8th July 2016, is the successor of the “Safe Harbor” decision that had been invalidated on 6th October 2015 by the European Court of Justice following the Max Schrems case.

The Safe Harbour agreement had been allowing for 15 years the US companies to transfer data of European citizens to the American continent, but that was canceled because the US did not offer a level of protection equivalent to European requirements. Since last October, it was no longer possible for companies to make transfers on the basis of this agreement.

European companies using this plan have now a legal basis to justify data transfers to the United States without having to go through contractual clauses or binding corporate rules. After months of difficult negotiations, the US gave written assurance to the EU that the government access to personal data will be controlled and limited and that indiscriminate mass surveillance of data of European citizens will be excluded.

Give “substantially equivalent protection”

This decision will enter into force as from its notification to each Member State and will be binding on them.

US companies will have to self-certify to take advantage of the decision on adequacy in accordance with the principles established by the EU-US Privacy Shield, and that, from the certification, except for companies that have already trade relations. The US Commerce Department announced that it would begin accepting certifications from 1 August 2016.

Digital companies welcome this measure, as John Higgins, CEO of Digital Europe, trade group which represents Apple, Google, IBM and others, said “we congratulate the Commission and the Ministry ; it would restore trust in data transfers between the European Union and the United States “

The way to achieve this adoption was in fact long and tricky. On 13th April 2016, the European data protection authorities, gathered under “G29”, had expressed their concerns on this mechanism stressing in particular the possible lack of guarantees on the independence of the future ombudsman responsible for collecting complaints of European citizens. But what has been firmly rejected by the G29 is the massive and indiscriminate collection of data, which suggests a possible invalidation of Privacy Shield.

An agreement potentially invalidated later

Which led to the invalidation of Safe Harbour is the extent of the surveillance conducted by the United States, or there is no evidence at this stage that things will change on this regard. The data of Europeans will always be monitored to deal with national security or when the public interest is in question, thus leaving a large flexibility to the authorities.

Therefore we can fear that opponents of the Safe Harbour, as Max Schrems, rely again on the thorny issue of mass surveillance through the collection of data user to request a cancellation in court.

The Austrian legal expert stated in particular in the Irish Times that “mass collection is incompatible with the fundamental right to protection of personal data.” He adds that “it is clear that the rules of Privacy Shield are far from ensuring equivalent protection to those imposed by the European Union”

Otherwise some member states such as Austria, Bulgaria, Croatia, and Hungary abstained to vote probably to express the text mistrust, and though adopted for the whole of EU, it is not unanimous. The G29, the European authorities for data protection group, scheduled to meet on July 25 to issue an opinion on the agreement that was adopted. While some are generally conciliatory with US companies, others like the French CNIL can be more demanding. Stay tuned..

DSC_0016
 
Mehdi Taieb,
Étudiant en master 2 Droit de l’économie numérique à l’Université de Strasbourg

A propos de Mehdi Taieb