Privacy Shield debate heats up as we wait for DPAs opinion

The Privacy Shield framework provides an 'essentially equivalent' level of protection for personal data transferred from the EU to the US, Hogan Lovells LLP privacy lawyers conclude in their 63-page legal analysis commissioned by the Information Technology Industry Council and DIGITALEUROPE. Published on 31 March, it provides a positive perspective on the Privacy Shield a few days before the European Data Protection Authorities, grouped as the Art. 29 DP Working Party, discuss their opinion.

“Whilst we accept that certain aspects of the Privacy Shield framework would benefit from greater clarity, precision and accessibility, we are satisfied that these potential weaknesses do not affect the overall effect of the Privacy Shield framework and the level of privacy and data protection that it affords. In reality the true level of data protection afforded by the Privacy Shield framework will only be demonstrated by its functioning and the practices of its participants,” Eduardo Ustaran, Partner at Hogan Lovells said.

The US has not made progress in adopting an omnibus privacy law, but recently adopted the Judicial Redress Act which provides some privacy rights for EU citizens for data processed by US government.

Several organisations, including European Digital Rights, American Civil Liberties Union (ACLU), EPIC, Digital Rights Ireland and Privacy International have written to the EU Article 29 DP Working Party and the EU Parliament’s Committee on Civil Liberties, Justice, and Home Affairs to argue that the proposed Privacy Shield for EU-US data transfers does not provide adequate protection.

The group says that ‘EU citizens still cannot be sure what will happen to their data once transferred to the US. Specifically, the US government continues to deny the relevance and application of the internationally-accepted standards of necessity and proportionality in its surveillance operations. In addition, the oversight mechanism established by the Privacy Shield to respond to complaints about US surveillance is not independent, nor does the office come empowered with sufficient authority to initiate investigations or respond adequately to complaints.’

They point out that in order for the Privacy Shield to survive, the US must formally commit to substantial reforms to respect human rights and international law in order to meet the standards set forth by the Court of Justice of the European Union and the Article 29 Working Group. The Privacy Shield contains no such commitment, they say.

The EU-US Privacy Shield will be reviewed in the following order by: the EU Article 29 Data Protection Working Party, the European Data Protection Supervisor, the Art. 31 Committee (representing the Member States), the European Commission, the European Parliament and the Council of Ministers. The EU DPAs are expected to give their view by mid-April.