EU-US privacy shield: Political challenges ahead

Written by Spiro Dhapi on 4 May 2016

The EU-US privacy shield is a step in the right direction, but is still likely to face considerable opposition from citizens and the ECJ, writes Spiro Dhapi.

Last February, the European Commission introduced a new transatlantic data transfer scheme: the EU-US privacy shield. This was intended to replace 'safe harbour' and an attempt to satisfy all parties involved - the EU judicial authorities, the EU public and tech companies in Europe and the US.

The European Court of Justice (ECJ) fundamentally annulled the previous scheme under safe harbour, mentioning in particular US authorities' unlimited and uncontrolled access to EU citizens' data and the lack of a protection and review mechanism. 

As a result, the Commission has presented a proposal which is an attempt to address all the concerns raised by the Court. The new scheme provides for greater supervision of the involved companies and protection mechanisms including sanctions and eliminations of companies that violate the rules. 


There is also a political commitment from the US administration to establish an Ombudsman, independent from national security agencies, that will follow-up on complaints and enquiries by individuals and inform them as to whether the relevant laws have been complied with. 

At the same time, the US government has promised that public authorities' access to personal data for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms.

On the question of the availability of legal remedies, the new proposal includes an 'alternative dispute resolution' - free of charge - a 45 day timeframe within which to resolve issues, greater cooperation between national data protection authorities and the federal trade commission, and an annual monitoring and review mechanism of the scheme.

The Commission's proposal has been met with a mixed response by stakeholders and the public, it appears representatives from both sides have reached compromises. Nevertheless, it remains to be seen if these answers will be deemed adequate when it is, almost certainly, challenged by before the ECJ. This is an outcome that will be hugely affected by the form these new proposals will take in their implementation.

MEPs and activists have already pointed to the ambiguity of the language, which they say is solely based on political intentions. Further, they argue that under the new rules, EU citizens would have to seek justice within a non-EU jurisdiction, the US, by filing a complaint with the US Department of Commerce and the US Federal Trade Commission. Businesses have also expressed concerns with fines which, in case of a violation, could amount to up to four per cent of a company's annual global revenue.

The discussion is now becoming part of a wider conversation around security and terrorism, especially following the Brussels attacks. Many suggest there is a need to increasing data flow monitoring, something they claim could prevent such attacks from even happening. Europe is currently in a state of shock, therefore such arguments appear to find ground within part of the public opinion, and pressure is likely to increase on the European Parliament's more liberal parties.

Clearly, more work needs to be done to provide satisfactory solutions for all parties involved, and pass the bar set by the ECJ. Experience from previous decisions handed down by the Court indicates that the Commission needs to ensure a protection mechanism offers sufficient offers sufficient legal remedies to citizens, one for instance that respects the principle of proximity. 

The next period until the new agreement is finalised, likely towards the beginning of the summer, will certainly involve even more political debates among the interested parties and intensified efforts from the Commission to close the loophole left after the Court's decision.


About the author

Spiro Dhapi is a technology legal and policy expert

Share this page