The jury is still out on the Privacy Shield

24 August 2018

The Privacy Shield agreement was introduced rapidly in 2016 to fill the void left when the previous Safe Harbour regime was found not to offer the 'adequate protection' for personal data relied on by the European Commission when it approved the scheme to enable data transfers to the US. It was therefore intended to offer stronger protections for transatlantic data flows to rectify the Safe Harbour deficiencies.



Under the Privacy Shield scheme, organisations must annually self-certify (via the Department of Commerce website) that they agree to adhere to the Privacy Shield Principles, which are a detailed set of requirements based on privacy principles such as notice, choice, access, and accountability for onward transfer. Prior to submitting self-certification to the Department of Commerce, the organisation must develop a Privacy Shield compliant privacy policy.

However, this self-certification is the same as it was for Safe Harbour which was denounced for letting companies pay mere lip service to the scheme, so it is perhaps no surprise that the Privacy Shield is subject to the same criticism. The Article 29 Working Party, the advisory body made up of representatives from the data protection regulator of each EU Member State which has now been replaced by the European Data Protection Board under GDPR, made a call on the first anniversary of the scheme to increase the level of protection for personal data provided by Privacy Shield. The other major concern is how the right to protection of personal data sits alongside (or could be subservient to) US surveillance rights. The Irish court hearing the claim originally brought by Max Schrems (and which has already led to the invalidation of Safe Harbour) has referred 11 questions to the ECJ about the balance between rights to privacy and mass surveillance in the US. The Article 29 Working Party also threatened to take the Privacy Shield to national courts to have it struck down if the issues it raised were not dealt with by the US authorities. Most recently the European Parliament voted to suspend Privacy Shield unless the US is "fully compliant" by 1 September 2018.

Cancelling the Privacy Shield would affect somewhere in the region of 3,400 companies who have self-certified. They would have to either freeze data flows, or look to the alternative models to transfer data such as the EU Commission approved model clauses or putting in place Binding Corporate Rules. However neither is a quick win as Schrems has also questioned how effective the model clauses are (currently on appeal to the ECJ, to be heard by the end of 2018) and it is not a quick and easy task to put Binding Corporate Rules in place.

What looks certain is that international transfers of personal data are set to change in the not-so-distant future.


NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.