Main content

EU and US indulge in Privacy Shield self-congratulations in Brussels, but privacy activists say 'See you in court'

Stuart Lauchlan Profile picture for user slauchlan July 11, 2016
The Eurocrats and the US Commerce Dept are in self-congratulations mode today with the adoption of Privacy Shield, but activists warn they'll have their day in court before long.

The European Union/US Privacy Shield has been signed into law in Brussels this morning. The only question now is how soon it finds itself facing a legal challenge in the European Court of Justice (ECJ) - and the answer to that is likely to be,'Pretty soon'.

At this morning’s formal confirmation, European Commissioner Vera Jourová said:

The EU-US Privacy Shield has enormous potential. By protecting fundamental rights of individuals when their personal data is transferred from Europe to the US, and by giving renewed legal certainty to companies that rely on such transfers for their work, the Privacy Shield will strengthen the transatlantic economy and reaffirm our shared values.

Our attention must now turn to getting the Privacy Shield up and running in practice… It’s important that businesses can quickly sign up to the Privacy Shield, ending a period of uncertainty after last year’s Court ruling. And it’s equally important that individuals – whether as consumers or employers – have comprehensive information about how their rights are guaranteed.

She said that the European Commission is now producing a “citizens’ guide” to explain all the available redress options, and would be liasing with European Union data protection authorities and the US Department of Commerce.

For her part, US Commerce Secretary Penny Pritzker said Privacy Shield certifications would begin next month, adding:

We know that individuals and industry alike have faced uncertainty but I want to assure you that all of us are committed to a smooth transition to the Privacy Shield. To that end, once companies have had the opportunity to review the latest provisions of the Framework, we will begin to accept certifications on August 1st.

With the approval of the EU-US Privacy Shield, we send an important message to the world: The sharing of ideas and information across borders is not only good for our businesses but also for our communities and our people. For businesses, the free flow of data makes it possible for a startup in Silicon Valley to hire programmers in the Czech Republic, or a manufacturer in Germany to collaborate with a research lab in Tennessee. For consumers, the free flow of data means that you can take advantage of the latest, most innovative digital products and services, no matter where they originate.

For the tech industry, Microsoft - itself still embroiled in a critical data privacy battle with the US government - signaled its approval of Privacy Shield in a blog posting from John Frank, Microsoft's vice president for EU government affairs.

Safe Harbor fell short of what European data protection rules required, and I believe the Privacy Shield now meets each of those requirements. The Privacy Shield secures Europeans’ right to legal redress, strengthens the role of data protection authorities, introduces an independent oversight body, and it clarifies data collection practices by U.S. security agencies. In addition, it introduces new rules for data retention and onward transfer of data.

Somewhat optimistically he comes to the conclusion:

Privacy Shield shows that there is more that unites the U.S. and Europe on data protection than a superficial comparison might suggest.


But away from the self-congratulation in Brussels, critics are already gearing up for challenges to the new legislation.

Joe McNamee, Executive Director of European Digital Rights, says that the EU and US were prepared to put up with the “charade” that was Safe Harbor for 15 years. He predicts it won’t take that long for Privacy Shield to come under fire:

Everyone – the Commission, the European Parliament, data protection regulators, business and citizens know that this agreement will collapse much more quickly. We have “bulk data” that we are told is not bulk data, we have an “ombudsman” who is not an ombudsman, we have redress that is not redress.

Sadly, for both privacy and for business, this agreement helps nobody at all. We now have to wait until the Court again rules that the deal is illegal and then, maybe, the EU and US can negotiate a credible arrangement that actually respects the law, engenders trust and protects our fundamental rights.

Meanwhile in a statement, privacy activist Max Schrems warns:

Privacy Shield is the product of pressure by the US and the IT industry – not of rational or reasonable considerations. It is little more than an little upgrade to Safe Harbor, but not a new deal. It is very likely to fail again, as soon as it reaches the CJEU. This deal is bad for users, which will not enjoy proper privacy protections and bad for businesses, which have to deal with a legally unstable solution.

The European Commission and the US government managed to make everyone miserable, when they could have used this opportunity to upgrade the protections that are crucial for consumer trust in online and cloud services.

He adds:

While it seems that so far, there are no immediate challenges planned, it can be suspected that there will be no lack of possible plaintiffs. In addition to activists and NGOs, the Data Protection Authorities in the 28 member states can refer the question to national courts and the CJEU. Even the European Commission mentioned the possibility of a legal challenge on the validity of the Privacy Shield.

Assuming such a challenge is raised, Schrems has also outlined a number of what he calls unanswered questions about Privacy Shield:

  • How can a system that effectively only requires opt-out for the transfer of data to a third party (“Notice & Choice”) be “essentially equivalent” to EU data protection law, that requires consent (or another legal basis) even for the mere collection of data?
  • Why shall US providers be granted access the European market, without following similar rules?
  • How are private arbitration bodies an “effective detection and supervision mechanisms” when they cannot even investigate the facts by e.g. on-site reviews?
  • How can the Commission claim that there is no “have access on a generalised basis” when the US explicitly names six cases where it allows “bulk collection”?
  • How can an Ombudsperson, that will not even disclose if a person was subject to surveillance, provide for a “right to an effective remedy and to a fair trial”?

My take

See you in court.


A grey colored placeholder image