Home > Insights > Blogs > Cybersecurity Bits and Bytes > Will September assessment scuttle EU-US Privacy Shield?

Will September assessment scuttle EU-US Privacy Shield?

Ever since being finalized in July of 2016, the EU-US Privacy Shield has faced considerable criticism. Crafted to replace the long-standing EU-US Safe Harbor that was struck down the previous year, the EU-US Privacy Shield was intended to smooth the transfer of data from the EU to the United States while ensuring the privacy of EU citizens was adequately protected. 

But questions emerged almost immediately after its adoption as to whether the new framework actually provided adequate protections, or whether it too would be deemed insufficient. Those concerns have continued and resulted in multiple challenges to the legality of the Privacy Shield in EU courts. A parliamentary committee even adopted a resolution last month expressing concerns with the adequacy of protections found in the Privacy Shield. 

Those challenges and the concerns underlying them are set to be topics of conversation as top US and EU officials meet in September to assess the first year of the Privacy Shield. Vera Jourova, the EU Commissioner for Justice, Consumer and Gender Equality, announced that she and US Department of Commerce Secretary Wilber Ross will be meeting in Washington, D.C., in September to discuss the new Privacy Shield, issues and concerns with its effectiveness, and the sufficiency of the protections afforded under the Shield at the meeting.  

Of particular concern to EU critics was the failure to include express limits on the collection of EU citizen personal data by law enforcement. One of the chief complaints with the prior Safe Harbor was that it allowed law enforcement to engage in large-scale, indiscriminate collection of personal information from EU citizens for law enforcement purposes. Such collections violated EU citizen privacy rights and ultimately led to the Safe Harbor being struck down in October of 2015. 

While the Privacy Shield established means for raising complaints over the collection of information by law enforcement, there are no express limitations in the Privacy Shield itself on how US law enforcement could collect data from EU citizens. Instead, US officials met with EU officials and assured the EU that the US would use more narrowly tailored information collection techniques. President Obama even signed Presidential Policy Directive 28 spelling out these assurances and others in 2014. 

Based largely on these assurances, EU officials tamped down much of the criticism of the Privacy Shield and squelched legal challenges to its sufficiency. But that was before Donald Trump was elected president, and swept into office with promises to de-regulate many activities.

Thus, it is unclear whether the directives in Presidential Policy Directive 28 are still the governing policy of the US’s new administration. And that uncertainty, in and of itself, has already allowed legal challenges to spring up to the Privacy Shield in Europe.

All of which makes the September review of the Privacy Shield that much more important for the Shield’s future. For instance, will the new administration provide similar assurances to the previous administration with respect to law enforcement collection of EU personal data? If not, will the EU withdraw its support for the Privacy Shield? If the Privacy Shield fails, will it also take down the so-called Umbrella agreement between the EU and US governing the sharing of personal information between law enforcement officials in both areas? And what sort of impact would that have on the security of Europe and the United States?

Thus, many more eyes than normal will be on what would ordinarily be a nondescript policy review of a data transfer agreement in September as the EU and US meet to assess the EU-US Privacy Shield. Regardless of what happens, the meeting is likely to have a significant impact on American companies doing business in Europe and looking to transfer EU citizen data to the US. 

Jason Schwent and Frederic Roth are attorneys in Thompson Coburn's Cybersecurity group.