The approval by the European Commission of the E.U.-U.S. Privacy Shield replacing the Safe Harbor program led to questions on how stable such scheme will be.
The end of the Safe Harbor ‘saga’
I had previously discussed about the endorsement given by the EU Member States to the Privacy Shield which has now become final with the adoption by the European Commission of the decision introducing the scheme which is now fully into force.
This should put an end to a saga started with the invalidation by the European Court of Justice of the Safe Harbor program. US companies doing business in the European Economic Area had to quickly adopt the easiest alternative route which has been in most of the cases the model clauses for the transfer of personal data to third countries.
The debated approval of the Privacy Shield
The negotiations between European and American authorities on the program that was meant to replace the Safe Harbor have been quite ‘frenetic’ given the substantial cultural difference between Europe and the US on privacy rights. The publication of the draft Privacy Shield earlier this year had led to more complaints than support, with the Article 29 Working Party raising concerns as to its compliance with EU principles.
The main issues subject of debates were around the need to ensure that personal data originated from the European Union when transferred to the United States
- are not subject to indiscriminated rights of access by US authorities and
- are treated in compliance with the obligations imposed by the Privacy Shield also in case of onward transfer to other entities
in order to avoid a sort of ‘far west effect‘ with no control on personal data once it arrives in the United States.
According to the European Commission such issues have now been addressed through
- stronger rights granted to individuals to challenge their privacy breaches before US challenged companies that shall initially deal with the matter internally, alternative dispute resolution bodies and Europen data protection authorities; and
- more clear reassurances by US authorities that they will not be allowed to have undiscriminated access to personal data coming from the European Economic Area.
What changes for US companies?
According to commentators, the changes adopted to the initial version of the Privacy Shield have not filled the ‘gap’ that had led to the decision of the European Court of Justice relating to the Privacy Shield. And the general feeling is that it might be challenged sooner rather than later.
The question is therefore whether in the current scenario of uncertainty US companies will still decide not to rely anymore to the privacy compliance program based on the model clauses. This costed them considerable efforts and the certification of their compliance to the Privacy Shield might also be considerably burdensome.
The approval of the Privacy Shield might not have any winner if only a limited number of US companies decide to join it. But even the model clauses might not be a safe solution considering that the Irish data protection authority referred them to the European Court of Justice.
What might happen then?
The scenario is very uncertain. Many US headquartered multinational companies are already moving their servers dedicated to the European business to the European Union. They don’t want to be victims of new European decisions on data protection compliance. This option might not be valid for smaller US businesses, including start-ups, which might decide to pull out from the European market especially when the massive fines prescribed by the EU Data Protection Regulation will come into force.
And this is all happening in a period of digital revolution with the growth of the Internet of Things and Fintech which are an opportunity of which European users might not fully benefit because of the stricter European privacy framework.
If you found this article interesting, please share it on your favourite social media!