After 3 years of application, the transatlantic data protection mechanism, the ‘Privacy Shield’, continues to worry many stakeholders who doubt its effectiveness in protecting Europeans' data processed by US companies. On Thursday 9 January, the European Commission and the European Data Protection Authorities appeared before the European Parliament's Civil Liberties Committee to present their radically different views on the progress made.
In the eyes of the European Commission, represented by Bruno Gencarelli, who heads the 'International Flows and Data Protection' unit, the 'Privacy Shield' is a real 'success' in terms of participation.
In just 3 years, 5,000 companies have joined the framework, far more than the number of companies certified under its predecessor, the Safe Harbor, in its 13 years of existence, he said.
Mr Gencarelli listed the positive results of the scheme, detailed in the Commission's report published in October on the 3rd Joint Annual Review (see EUROPE 12355/9), including the appointment of a permanent mediator (‘Ombudsperson’).
Conversely, for Lisa-Marie Lange of the Hessen data protection authority in Germany and François Pellegrini of the French data protection authority, the list of shortcomings and improvements to be made is a long one.
In particular, the latter highlighted the inadequacy of the Ombudsperson's powers (see EUROPE 12372/12) as well as the need to improve compliance controls, data collection, the recertification process and the effectiveness of remedies.
According to Dutch MEP Sophie in 't Veld (Renew Europe), for whom 'Privacy Shield' is inadequate in terms of protection, these reviews come one after the other and look the same, with no real improvement year after year.
A suitability decision for California as an alternative?
Thus, far from being allayed, concerns have even been rekindled since the Advocate General of the EU Court of Justice, Henrik Saugmandsgaard Øe, delivered his opinion in the 'Schrems II' case (C-311/18) at the end of December.
In the latter, he raises a series of doubts as to the validity of the ‘Privacy Shield’ with regard to the rights to privacy and data protection (see EUROPE 12394/7).
Several MEPs therefore wanted to know what the Commission's options would be if the CJEU were to invalidate the mechanism.
Asked by Patrick Breyer (Greens/EFA, Germany) whether the EU could adopt a data protection adequacy decision for California, which has recently adopted a data protection law, Mr Gencarelli replied 'yes'.
This possibility for a part or territory of a federal state is expressly provided for in the General Data Protection Regulations (GDPR), he explained. The case is particularly interesting, since the major digital companies are located in Silicon Valley.
For the rest, the Commission representative refused to speculate on the decision that might be taken by the Court of Justice. However, he pointed out that the Advocate General also stated in his Opinion that the resolution of the dispute in the main proceedings did not require the Court to rule on the validity of the ’Privacy Shield’. (Original version in French by Marion Fontana)