• +49 (30) 804 03 588 | +49 (0)157 322 38619 | +33 (0) 6 79183704
  • sybille.boese-tarsia@sbt-rechtsanwaeltin.eu
  • Nickisch-Rosenegkstrasse 9, 14129 Berlin
  • +49 (30) 804 03 588 | +49 (0)157 322 38619 | +33 (0) 6 79183704
  • sybille.boese-tarsia@sbt-rechtsanwaeltin.eu
  • Nickisch-Rosenegkstrasse 9, 14129 Berlin
4
POSTED IN: Uncategorized

EU-US Privacy Shield: Challenged Sooner Rather Than Later?

European Data Protection Supervisor G. Buttarelli as well as Article 29 WG have expressed rapidly (i.e. before the application date of August 1, 2016) their voices of caution as to the viability of the Privacy Shield in its present form (read more).

The Irish Data Protection Authority has joined in, raising doubts as to the long term use and application of the EU Model Clauses (which provide until today THE legal basis for the continuation of data transfers between the US and the EU for international companies). The Irish authority says that those clauses look very much like they’ll become a “short-lived” option.

Mr. Schrems (at the origin of the Safe Harbor principle annulation) says that the redress mechanism for the user consists of referral to a weak ombudsman.

Among the big US companies, only Microsoft, AssureSign and Salesforce have applied for the Privacy Shield Certificate, and only 200 applications were pending in August 2016 (compared to 4,000 Safe Harbor applications previously).

The EU-US Privacy Shield is based on a system of self-certification by which US companies commit to a set of privacy principles – the EU-US Privacy Shield Principles.

There is an annual review mechanism in which US and European administrations participate.

In Germany, one federal DPA has communicated that it will challenge the Privacy Shield in front of the Court of Justice of the European Union (CJEU) as soon as this is possible, on the basis of (in-) adequacy. The argument used is that the Privacy Shield does not respect the legal requirements (which the CJEU had imposed in the FB decision) of proportionality.

After all, if US mass surveillance means the Privacy Shield doesn’t protect EU citizens’ rights, then the same risks go also for EU model clauses and binding corporate rules.

Today, DPAs are not duly authorised to challenge the (a) decision of the EU Commission in front of the CJEU. The German DPA is lobbying for it.

To underline its perseverance, the same DPA had verified US transfer of data practices post-annulment of the Safe Harbor Principle. Following its investigations, the DPA has fined three international companies (out of 35) it had visited.

The first joint annual review of the Privacy Shield will be carried out in August 2017.