Today, on 12 July 2016, the European Commission adopted the so-called “Privacy Shield”, a special arrangement that allows the transfer of personal data from the EU to the United States. The Privacy Shield replaces the former Safe Habor agreement, which used to serve the same purpose, before being annulled by the European Court of Justice (CJEU) in October 2015. In the light on the Snowden revelations on US mass surveillance, the Court decided that such data transfers would violate privacy and data protection rights of European citizens. The adoption of Privacy Shield today follows the approval by a majority of EU Member States in the so-called Article 31 Committee on Friday 8 July.
Sadly, for both privacy and for business, this agreement helps nobody at all. We now have to wait until the Court again rules that the deal is illegal and then, maybe, the EU and US can negotiate a credible arrangement that actually respects the law, engenders trust and protects our fundamental rights,
said Joe McNamee, Executive Director of European Digital Rights.
When the European Commission adopted the Safe Harbor agreement, it was widely understood to be illegal, but the charade was maintained for fifteen years. Everyone – the Commission, the European Parliament, data protection regulators, business and citizens know that this agreement will collapse much more quickly. We have “bulk data” that we are told is not bulk data, we have an “ombudsman” who is not an ombudsman, we have redress that is not redress.
In the annulment of Safe Harbor, the European Court of Justice made it clear that any future decision must ensure a level of data protection that is “essentially equivalent” to European law. When the first draft of the Privacy Shield was published on 29 February 2016, it was extensively criticised, for example by civil society and European institutions and bodies (the European Parliament, the European Data Protection Supervisor, and the European Ombudsman).
Safe Harbor Annulment (06.10.2016)
Leaked text by POLITICO (29.06.2016)
EDRi member Privacy International post (07.07.2016)
Statement by Max Schrems (12.07.2016)