Max Schrems certainly is not impressed by the EU-US Privacy shield comparing it to ten layers of lipstick on a pig. Pigs might take exception to be used in such a derogatory manner being the magnificent beasts they are. Is Max Schrems glammed up porcine comparison correct?
Really it remains to be seen. The Article 29 Working Party has confirmed that it intends to adopt an opinion on the EU-US Privacy Shield in mid-April. The European Commission has issued its adequacy decision along with the texts that will actually make up the Privacy Shield. The next steps are for the EU Data Protection Authorities and the European Data Protection Supervisor to have their say before formal adoption occurs.
Let's hope clarity comes quickly - a recent survey by the Irish Computer Society's recent shows that three quarters of Irish business transfer data abroad. That's a whole lot of data and most of it will need an equivalent of Safe Harbour in order to be legitimately transferred.
A crucial component of the Privacy Shield has now been signed into law in the US. The Judicial Redress Act grants EU citizens enforcement procedures in the US in respect of their data protection rights. This was a major issue with Safe Harbour. This is also the first time there has been written assurances from the US with regard to EU citizens' data protection rights. There are exceptions though and the US is still retaining rights to collect data in several matters including cybersecurity and threats to national security. This still seems contrary to the EU view on bulk gathering of data.
The Privacy Shield may not pass muster with the Article 29 Working party as a result. In the meantime uncertainty on international transfers reigns. Hopefully Privacy Shield is not a pig in a poke.
The WP29 called for the documents pertaining to the Privacy Shield to be delivered to it by the end of February — so the EC has just managed to squeak through on the extra day afforded by 2016’s Leap Year. In terms of next steps, the WP29 said it will be holding a meeting next month to assess the text, and has previously said it “could” come to a conclusion on whether the Privacy Shield is acceptable by mid-April or the end of April. Beyond the WP29’s assessment, it is also not clear that an agreed Privacy Shield will be able to deliver the certainty businesses crave. On this front, giving his early reaction to the text in a press statement, Schrems couches the deal as an attempt to put a lot of lipstick on the same old data-suckling pig…