Yesterday the European Commission adopted the much talked about Privacy Shield. This is the new framework for EU-US data transfers which replaced the old Safe Harbour regime. Safe Harbour was struck down by the CJEU as not affording sufficient protection when Facebook's data transfers were challenged by privacy activist Max Schrems.
Schrems is not happy with Privacy Shield having previously described it as a 'pig wearing lipstick'. Privacy Shield was designed to overcome the issues Safe Harbour had through stronger obligations on US companies and stronger enforcement mechanisms. It is also offers limitations on US Government access to personal data for national security purposes (does it really?!). There are various redress options available to EU citizens if they become concerned that their data is being misused and the framework is to be reviewed annually by various parties.
However the same concerns regarding Safe Harbour keep coming up again and again. It seems likely that it won't be long before Privacy Shield is legally challenged before the CJEU for not going far enough. Concerns raised include the broad purposes for which data can be shared under Privacy Shield - this includes transfer for 'all services we may provide to you and others'. This could certainly be interpreted very broadly. Schrems is also concerned about the difficulty data subjects would have in objecting to their data being shared. Other concerns include the fact that redress for breach seems multi-staged and complex which is likely to put data subjects off.
It is expected that over $250 billion dollars of transatlantic trade will be facilitated by the introduction of Privacy Shield so that's one good reason for it to be approved. Companies will be able to certify themselves as Privacy Shield compliant from 1 August 2016 but it enters into force immediately. So while Google and Facebook and other US multinationals can rely on Privacy Shield are we back to square one when the first legal challenge hits?
Does Privacy Shield protect the privacy of European users when their data is sent to the United States? Various indicators suggest it does not. With regard to the private sector, it is painfully obvious that the rules give nowhere near the level of protection and principles afforded by the EU.