Must try harder – EU-US Privacy Shield requires improvement

On 26 May 2016, MEPs voted in favour of further negotiations with the USA to address deficiencies they had identified in the proposed ‘Privacy Shield’ programme.

The Privacy Shield programme for transatlantic data transfers was first announced in a European Commission press release on 2 February 2016. This followed the decision of the Court of Justice of the European Union in October 2015 that the Safe Harbor programme – which permitted lawful data transfers between the European Economic Area and the U.S. organisations that had signed up to it – was invalid because individuals’ privacy was under threat from US government surveillance. The Privacy Shield is being touted as a replacement for the Safe Harbor programme, although the details have not yet been finalised. The MEPs identified a number of deficiencies in the current proposal, in particular:

  1. Access –the US authorities’ ability to access any data transferred.
  1. Bulk data collection –this may be unnecessary or disproportionate in some cases.
  1. Regulation – a new institution termed the ‘US ombudsperson’ has been proposed, which MEPs are concerned would lack the requisite independence or enforcement power.
  1. Redress – MEPs considered the redress mechanism was overly complicated.

It remains to be seen how the requirements of the Privacy Shield will dovetail with those of the new General Data Protection Regulation which will be in force in the European Union from May 2018.

As there are restrictions on data transfers from the European Union to the United States, affected organisations will need to rely on other alternatives to the Safe Harbor programme while the details of the Privacy Shield are hammered out.

Cannings ConnollyCannings Connolly
8 June 2016

Disclaimer:
This Legal Update is published as a general guide only and it is not intended to contain definitive legal or professional advice, which should be obtained as appropriate in relation to any particular matter. This publication relates to matters prevailing at the date of its original publication and may not have been updated to reflect subsequent developments.

For further information or advice on cross border data transfers and related matters please contact: Claire Walsh on
020 7003 8119 or email cwalsh@cclaw.co.uk.