It was a mistake to stipulate a deadline for the Article 29 Working Party to produce a replacement Safe Harbour after it was successfully challenged by Hanff, a law student, in the EU court. Email marketing, with its dependence on personal data, needed a clear and enforceable plan and not something cobbled together in a rush.
The initial press release, http://europa.eu/rapid/press-release_IP-16-216_en.htm, was little more than a holding statement and in effect the deadline has been put off until the end of February. What little was specified is of concern though.
The pressure is on the US. It is the American-based internet giants, such as Google, Facebook and the rest, which depend to a great extent on easy data transfer. There are some reports of data storage being moved to the EU after the Hanff decision, those responsible no doubt fearing that a replacement for Safe Harbour might be a long way off. It seems their anticipation has been proved correct.
Instead of a document that would ensure safe data transfer and storage we have one where, some suggest, the main intent would seem to be the protection of US companies.
The Article 29 Working Party press release suggest that its proposals provide:
1/ Strong obligations on companies handling Europeans' personal data and robust enforcement,
2/ Clear safeguards and transparency obligations on U.S. government access,
3/ Effective protection of EU citizens' rights with several redress possibilities.
It sounds too good to be true.
Commentators on the proposals have been highly critical of some of the suggestions. The main problem is the fact that the US Government has almost unfettered access to data transferred into the country and has, for the last ten years or so, shown a distinct willingness to exercise that authority. What is required is for their systems to be changed or their powers limited. What do we get instead?
The EU is offered written assurances. It would seem that the outgoing president, with nine months left in power, will sign a document. At the moment it seems that it binds the US to little. There is the promise of an ombudsman although what he or she can do without legislative backing has not yet been explained project planning process.
The baseline is that the European Court has decided that generalised access to data transferred from the EU violates the rights of its citizens. It is hard to see anything in this proposal which provides evidence of the USA’s willingness to change its practices.
The Privacy Shield proposal will have to be accepted by all 28 EU countries, some of which are fierce proponents of personal privacy. It would appear that we are in for protracted legal arguments even if the unlikely occurs and it is accepted.
It would seem that no national data protection regulator has given support to the Privacy Shield and there are already suggestions that those concerned with privacy rights are sharpening pencils as you read this.
The last thing those with email marketing lists wanted was a fudge. The provisions of the Privacy Shield are neither clear not legally enforceable. A fancy name is not enough.