After much criticism, challenges to the newly-adopted framework could be on the way...
The European Commission formally adopted the much-debated EU-US Privacy Shield on Tuesday, finally replacing the Safe Harbour framework that was found to be invalid in October 2015.
Aiming to offer effective protection for the data of EU citizens, the Shield was formed from a political agreement between the European Commission and the US Government back in February, but it has had a turbulent journey to finding proper approval since then.
While there were qualified endorsements from the likes of Microsoft, EU data regulators felt for a long time that it would not get off the ground.
The EU's Article 29 Working Party, established under a 1995 Directive on personal data protection, took issue with six exceptions US intelligence agencies have demanded so that they can continue to gather data en masse from Europe.
The Working Party also argued that the role of a US-appointed ombudsperson was too vague – as well as the fact they will be reporting to the US Secretary of State. Not only that, the pact was judged to be too complex, bringing together legal instruments, letters, annexes and more.
Isabelle Falque-Pierrotin, chair of the Article 29 Working Party, said:
"We believe that we don’t have enough security guarantees in the status of the ombudsperson... in order to be sure that this is really an independent authority."
Falque-Pierrotin noted that the Privacy Shield does not have a revision mechanism to handle the vast European privacy law changes that will arrive along with the new General Data Protection Regulation in 2018.
Meanwhile, Maz Schrems, the Austrian law student who won his case against Safe Harbour, wrote that the Privacy Shield would not stand up in court.
Věra Jourová, Commissioner for Justice, Consumers and Gender Equality, said yesterday:
"The EU-US Privacy Shield is a robust new system to protect the personal data of Europeans and ensure legal certainty for businesses.
"It brings stronger data protection standards that are better enforced, safeguards on government access, and easier redress for individuals in case of complaints.”
Andrus Ansip, Commission Vice-President for the Digital Single Market, commented:
"We have worked hard with all our partners in Europe and in the US to get this deal right and to have it done as soon as possible. Data flows between our two continents are essential to our society and economy – we now have a robust framework ensuring these transfers take place in the best and safest conditions.”
That “robust framework” is likely to face numerous challenges in the coming weeks and months.
Writing for Medium, Privacy International's legal officer Tomaso Falchetta said the Privacy Shield will be "a field day for law firms."
"Given the flawed premises – trying to fix data protection deficit in the U.S. by means of the Obama Administration's assurances as opposed to meaningful legislative reform – it is not surprising that the new Privacy Shield, at least as it appears in the leaked version, remains full of holes and offers limited protections."
Schrems hadn’t decided whether he would be the one taking the Privacy Shield, though he told Fortune someone inevitably would:
"There are so many options to kill it."
Digital rights group Access Now echoed these sentiments in a statement:
“Based on the same flawed foundations as its predecessor, the Privacy Shield is not likely to withstand future legal challenges.”