Personal Data

EU organizations are not allowed to transfer personal data to countries outside the EU unless they guarantee adequate levels of protection. Safe Harbor provided a mechanism companies to transfer personal data from the EU to the USA.

Over 7,000 Companies Took Part

The European Commission published a decision in 2000 that set up Safe Harbor. Thousands of companies, including the internet giants Google, Facebook, Apple and Amazon, took part.

Self-Certification

The Framework relied on US companies "self-certifying" that they complied with the data protection standards required.

It also ruled that any future Safe Harbor Agreement 2.0 would not provide blanket immunity for any data transfers. National supervisory authorities are entitled to examine independently whether the transfer of a person's data to non-EU state complies with EU law.

Max Schrems is a Austrian privacy activist. He's campaigned against Facebook in particular due to alleged privacy violations.

In 2014, he filed a complaint to the Irish Data Protection Commissioner in respect of Facebook. When the Data Protection Commissioner rejected the complaint, he applied to the Irish High Court for judicial review. The High Court made a preliminary reference to the CJEU, resulting in the latter's ruling striking down the Safe Harbor Framework.

Edward Snowden is an American whistleblower who leaked documents detailing global surveillance programs run by the NSA.

In the case brought by Max Schrems, the Irish High Court stated, "the Snowden revelations demonstrate a massive overreach on the part of the security authorities, with an almost studied indifference to the privacy interests of ordinary citizens. Their data protection rights have been seriously compromised by mass and largely unsupervised surveillance programmes".

More Redress Possibilities

The EU-U.S. Privacy Shield provides that companies must reply to complaints from individuals within 45 days. Provision is also made for free-of-charge Alternative Dispute Resolution. Finally, as a last resort, there will be an arbitration mechanism to ensure an enforceable decision.

U.S. Government Promises

The U.S. will provide written assurances that any access of public authorities to public data will be subject to clear limitations, safeguards and oversight mechanisms. The U.S. Authorities will affirm that indiscriminate or mass surveillance will not take place

Annual Joint Review Mechanism

There will be an annual joint review mechanism for monitoring the functioning of the Privacy Shield and the U.S. commitments, including as regards access to data for law enforcement and national security purposes.

I have an incredible feeling of de ja vu. And a suspicion we'll be back at the drawing board before long. The text I've seen, while progress to an extent, doesn't appear to address key issues and will inevitably be challenged by an DP authority, an EU citizen, or the Parliament.

Even if Privacy Shield was bulletproof, it still doesn't apply to data processors outside of the FTC's remit. And as the Privacy Shield text was negotiated against the Directive instead of the Regulation that is replacing it, we will inevitably wind up faced with a renegotiation within the next 2 years or so. The ultimate fix lies not with the EU but on the US side. Legislative reform is inevitable to avoid repeating cycles of uncertainty.

The WP29 notes the major improvements the Privacy Shield offers compared to the invalidated Safe Harbour decision.

Given the concerns expressed and the clarifications asked, the WP29 urges the Commission to resolve these concerns, identify appropriate solutions and provide the requested clarifications in order to improve the draft adequacy decision and ensure the protection offered by the Privacy Shield is indeed essentially equivalent to that of the EU.