In 2015, the European Court of Justice struck down Safe Harbor, the legal device that enabled data transfers from the European Union to the United States. This summer, Safe Harbor’s successor, Privacy Shield, may meet the same fate.
Privacy Shield was supposed to offer more robust data privacy protections than Safe Harbor. The European Commission also pledged to monitor compliance on an ongoing basis.
Even so, critics have complained from the outset that Privacy Shield is a self-regulating system reliant on self-serving assurances for enforcement. At best, they contend that Privacy Shield is no more than a rebranded Safe Harbor. For this reason, we have predicted that Privacy Shield may be on borrowed time.
That time may be at hand. On July 1, the EU General Court will consider French privacy group La Quadrature du Net’s complaint against Privacy Shield. La Quadrature du Net cites U.S. government surveillance to argue that Privacy Shield violates EU privacy law.
Privacy Shield’s legal position has been strengthened by the support of the Commission, nations such as France and the UK, as well as major technology companies such as Microsoft. On the other hand, the Court has concerns about the relative weakness of American privacy laws and Washington’s slow pace in filling critical privacy related posts as members of the U.S. Privacy and Civil Liberties Oversight Board.
One high profile instance that embarrassed Privacy Shield proponents involved controversial campaign analytics company Cambridge Analytica. SCL Elections, a Cambridge Analytica affiliate, remained Privacy Shield certified, enabling it to process data outside the European Union under pledges of “adequate protection.” The incident, along with other concerns, prompted the EU Parliament’s civil liberties committee to vote to suspend Privacy Shield and other mechanisms.
Companies that rely on Privacy Shield should consider alternative data transfer mechanisms such as EU Binding Corporate Rules as contingency planning for an adverse court ruling. A decision is expected later this Fall.
Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or sgul@poynerspruill.com. Mike may be reached at 919.783.2851 or mslipsky@poynerspruill.com.