• wblogo
  • wblogo
  • wblogo

Privacy shield works but could be better, says EU

Chris Hamblin, Editor, London, 14 November 2017

articleimage

The European Union recently published a favourable first annual report on the functioning of the EU-US 'Privacy Shield' agreement, the aim of which is to protect the personal data of anyone in the EU that is to be transferred to companies in the US for commercial purposes.

On the whole, the report finds the agreement 'adequate' in its protection of the personal data transferred from the EU to participating companies in the US. Its authors believe that the US authorities have set up the right structures and procedures to work it; these include new ways of EU subjects to claim redress. Complaint-handling and enforcement procedures have been set up, and co-operation with the European data protection authorities (including the UK's Information Commissioner's Office) has been stepped up. The certification process is functioning - the US Department of Commerce has now certified 2,400 companies.

The report suggests a number of ways in which the agreement might be made to work better. These include the following.

  • More proactive and regular monitoring of companies' compliance with their obligations by the US Department of Commerce. The department should also conduct regular searches for companies making false claims about their participation in the so-called 'shield.'
  • More awareness-raising among people in the EU about how to exercise their rights in accordance with the agreement, especially regarding the lodging of complaints.
  • Closer co-operation between privacy enforcers such as the ICO.
  • Some sort of formalisation of 'protection' for non-Americans offered by Presidential Policy Directive 28 (PPD-28), as part of the continuing debate in the US about the reauthorisation and reform of s702 Foreign Intelligence Surveillance Act (FISA).
  • The urgent appointment of a permanent "privacy shield ombudsperson," plus the filling of empty seats on the Privacy and Civil Liberties Oversight Board (PCLOB).

Andrus Ansip, European Commission Vice-President for the Digital Single Market, said that his department was committed "to create a strong certification scheme with dynamic oversight work." In September, three US companies had to pay penalties for misleading consumers about their participation in the 'shield' regime. They were Decusoft, Tru Communication and Md7.

Věra Jourová, also of the European Commission, stated that "the fundamental right to data protection must be ensured...when personal data leaves the EU. Our first review shows that the Privacy Shield works well, but there is some room for improving its implementation. The privacy shield is not a document lying in a drawer. It's a living arrangement that both the EU and US must actively monitor to ensure we keep guard over our high data protection standards."

When it signed the agreement in August last year, the European Commission promised to review it annually to see if it protected personal data properly. Its representatives met all relevant US authorities in mid-September 2017.

Its view of the agreement, which the US Government and the EU drew up after the European courts invalidated the International Safe Harbour Privacy Principles (the previous data protection agreement) in 2015, is a sanguine one. The 'safe harbour' was found to be decidedly unsafe in view of the US Government's notorious law-breaking surveillance of its own citizens and those of other countries that came to light in the Snowden revelations. This surveillance goes on, but the EU and US believe that an agreement with another name will keep the data flowing between banks and other financial institutions on both sides of the Atlantic, at least until the next court case.

Latest Comment and Analysis

Latest News

Award Winners

Most Read

More Stories

Latest Poll