Facebook nemesis Max Schrems threw into serious disarray the whole (commercially vital) business of EU-US data transfers when his litigation destroyed the Safe Harbor arrangements. A fix was needed, quickly. The European Commission came up with a fix called the “Privacy Shield”. Some, including members of the Panopticon fold, had a disdainful – even gently mocking – take on the Privacy Shield: see for example Chris’ synopsis here. More importantly, the EU’s Article 29 Working Party did not seem entirely impressed by the Privacy Shield proposal.
Earlier this month, however, the EU member states approved the Privacy Shield. See an announcement here. This means it is likely to be up and running in August. Companies can therefore seek Privacy Shield certification as the basis for their EU-US personal data transfers. This successor to Safe Harbor certification will involve additional, more stringent standards: to certify, you will need, for example, to demonstrate with more rigour than was previously demanded that your privacy policies (including fair processing notices and measures for compliance with data subjects’ rights) and technical/organisational arrangements (including data security and staff training) are up to scratch in EU terms. You will also need to address any potential onward transfers, beyond the immediate recipient.
Some optimism then, about this fix for EU-US personal data transfers. Still, in the view of some heavyweights, this shield is hardly the stuff of Hephaestus (or whoever Hephaestus’ equivalent in privacy terms would be). GDPR champion Jan Albrecht and transatlantic transfer scourge Max Schrems wrote this piece this week on the defects in the Privacy Shield. There have been hints of legal challenge.
The Atlantic may not be entirely safe water for personal data transfer, but Privacy Shield is at least a practical step in the right direction.
Robin Hopkins @hopkinsrobin