The 28 EU states have approved “Privacy Shield,” a new version of the Safe Harbor agreement for transfer of individuals’ data between the US and the EU. That is good news. The earlier Safe Harbor agreement was stricken down by the European Court of Justice (ECJ) in a case where a European individual claimed that NSA collection of data violated his right to privacy, and that the violation was a consequence of Safe Harbor inadequacy. Since then, data flows between the US and the EU have been conducted under shaky contract clauses that some believe would not withstand another ECJ challenge. Given the massive volume of digital commerce conducted between the EU and the US, a more stable arrangement is needed, and we can hope the Privacy Shield provides that foundation.
The Privacy Shield authorizes a participant (company or agency) to move and process an individual’s data needed to conduct commerce, law enforcement, or judicial procedures. That authority is contingent on individuals being given notice of why a Privacy Shield participant seeks the individuals’ data and what processing the participant intends to perform. The individual must be free to grant or deny that use of his data. Participants must not retain individuals’ data beyond the time needed for the processing that the individual has agreed to.
Participants must safeguard individuals’ data from release to unauthorized parties, but participants may disclose an individual’s data to a suitable 3rd party for processing provided the participant is assured that the 3rd party will provide the same level of data protection and will treat the individuals and their data in the same manner that Privacy Shield obliges the participant to offer.
The individual has the right to grant or to deny access to his personal information. Individuals have the right to complain about use made of their data and to have the complaint resolved expeditiously and without charge. Complaints can be directed to US or to EU authorities and EU individuals are expressly given the right to sue in US state courts.
Imbedded in Privacy Shield are some safeguards that apply to US “national security services” who sometimes conduct bulk collection of individuals’ data to identify terrorism threats. Their actions will be subject to review by an ombudsman who will investigate EU complaints. The Federal Trade Commission is assigned the chore of monitoring the behavior of US participants.
American individuals have not been given a choice on Privacy Shield and the entire agreement is tilted toward the hyper-sensitive privacy views of Europeans, including their bizarre commitment to “the right to be forgotten,” a stylish excuse for avoiding embarrassment by rewriting history.
The White House has announced its agenda for privacy research. To the extent the agenda bears practical results for safeguarding information, it may increase the cost and effectiveness of a participant’s obligations to individuals.
Some in Europe still feel the Privacy Shield risks individual’s data too much and the agreement should force stronger safeguards from anyone processing Europeans’ data. Activists may once again challenge the agreement in the ECJ. If the ECJ upends the Privacy Shield, it may take substantial time and perhaps some painful concessions from the US to reinstitute a deal that makes US-EU digital commerce orderly and efficient.