This article will discuss the EU – US data sharing saga negotiations which are underway, currently named the ‘Data Shield’; which is intended to be the new, improved ‘Safe Harbour’ which was previously invalidated by the ECJ in Schrems (C-362/14).
This politically agreed measure is meant to bolster EU citizen’s data protection rights on US soil. Such similar rights will be given to EU citizens, ‘similar’ being the contentious issue at the heart of the saga.
The European Data Protection Supervisor (Mr Giovanni Buttarelli) published an Opinion (4/2016) on the 30th May 2016 expressing their concerns and stating the shortcomings of Data Shield agreement. This follows the European Parliament adopting a resolution in early May. In this resolution, they called upon the Commission to negotiate a better deal in light of the current deficiencies.
Mr Buttarelli stated there this is a need for a long term, robust and lucid agreement between the EU and the US. Such an agreement should reflect the rights-based values in the Lisbon Treaty, Charter of Fundamental Rights and the US Constitution, all if which is reflected in the Schrems judgement. Whilst it is a step in the right direction, it is not robust enough to endure the ECJ’s scrutiny. The starting point should not be the invalidated agreement, which is what has been done.
As is, the agreement does not sufficiently safeguard individual privacy. Data protection or afford sufficient access to judicial redress. Furthermore, the approach of self-regulation is short-sighted and unable to uphold EU citizens’ rights in the long run.
Mr Buttarelli suggests that the starting point of this agreement should be the EU legal framework. This being the threshold that would meet the Schrems ‘essentially equivalent’ standard. To ameliorate the current deficiencies, main data protection principles should be expressly stated in detail in the agreement and that it should look to limit derogations. There should also be assurances that the role of the Ombudsman should be further developed so that it can act independently and that commitments should be made, ensuring its decisions are respected.
For the 4,600 companies that signed up to the agreement, Butarelli’s Opinion still leaves them in the dark. They are currently relying on ‘model contract clauses’ to allow them to transfer personal data abroad; which is terrifyingly similar to the Safe Harbour Agreement, especially as they are built on a similar premise. Despite the ongoing turbulence, it must be remembered that those whose data is held, the GDPR will afford redress from breaches outside the EU by foreign companies.
From this Opinion it can be taken that this agreement still has a long way to go.
Please contact us for further information.