by Samuel Stolton
Speaking at the presentation of the third annual review of the Privacy Shield agreement on Wednesday (October 23), Justice Commissioner Vera Jourova said dialogue will continue with US counterparts in order to “make the Shield stronger, including when it comes to oversight, enforcement and, in a longer-term, to increase convergence of our systems.”
The Privacy Shield agreement obliges American companies to protect personal data belonging to EU citizens, according to EU standards and consumer rights. It also establishes a framework that allows for the safe transmission of data across the Atlantic for commercial purposes.
As part of the publication of Wednesday’s review, the Commission said improvements to the EU’s personal data transfer need to be made “to better ensure the effective functioning of the Privacy Shield in practice.”
The Commission says specific areas that need to be bolstered include cutting down the time for companies that wish to be (re)certified as compliant with the agreement, making sure that compliance checks are carried out more comprehensively – including the stamping down on companies that falsely claim to be following the EU standards for data protection – and clarifying guidelines of how companies treat data belonging to EU workers in their own company.
In terms of compliance, the Commission also called upon the Federal Trade Commission to step up its game in terms of the investigation of companies that claim to follow the EU data protection rulebook, but in fact do not.
On a more positive note, however, Jourova did pay heed to the general “success story” of the agreement so far. “With almost 5,000 participating companies, the Privacy Shield has become a success story. The annual review is an important health check for its functioning,” she said.
Oversight formalities from the U.S. Department of Commerce are said to have improved, with monthly checks to verify compliance with Privacy Shield principles now taking place.
In addition, enforcement action has been bolstered, with Wednesday’s review revealing that seven Privacy Shield related cases having been opened in order to ensure just compliance with the rules.
On Wednesday, Jourova cited the $5 billion fine dished out to Facebook earlier in the year to set straight a government probe into its privacy practices, as an example of the efficacy of the Federal Trade Commission’s actions in this field.
The Commission also says that “an increasing number” of EU citizens are also “making use of their rights under the Privacy Shield.”
And, following the June appointment of tech businessman Keith Krach as the permanent Privacy Shield ombudsperson, in addition to the final two vacancies being filled on the Privacy and Civil Liberties Oversight Board, the US Privacy Shield team is now fully-staffed for the first time since 2016.
But while the Commission lauds such a move, Giovanni Buttarelli, the EU’s late Data Protection Supervisor, had earlier told EURACTIV that such appointments were “not a concession” but rather “a prerequisite for the functioning of the privacy shield.”
On Wednesday, Jourova conceded that this was indeed the case. “It’s true that we were waiting quite long” for the appointment of a permanent ombudsperson, she said, adding that Krach went through “very strict and public scrutiny” in the run-up to his appointment.
A big mistake?
Despite the Commission’s relatively warm appraisal of the Privacy Shield’s efficiency so far, there were other more pressing concerns aired by privacy advocates on Wednesday, with regards to the agreement.
Estelle Masse, a senior policy analyst at the digital rights group Access Now, said the agreement does not offer EU citizens a sufficient guarantee that their data is protected when being sent across the Atlantic. “The Commission is making a big mistake by maintaining the Privacy Shield,” she said on Wednesday.
“This framework has never been suited to protect people’s rights to privacy and data protection. The EU does not only enable the continuous violation of fundamental rights under this arrangement but it is also undermining its global leadership role on the protection of personal data.”
Meanwhile, European Parliament members were just as scathing. Renew’s German MEP Moritz Korner said that the agreement “fails in practice” and that it “does not guarantee sufficient legal security,” adding that it “must be suspended.”
“As long as Europe focuses on data protection, but the USA on the data ‘treasure’ of EU citizens, there will be no functioning transatlantic agreement,” he said.
*first published in: www.euractiv.com