The much-heralded first review of the EU‑US Privacy Shield Framework that governs the flow of personal information across the Atlantic has concluded – and would you believe it? Representatives of the EU and US think it's doing fine.
The two-day review is an annual requirement written into the new framework after the previous Safe Harbor agreement was ruled invalid by the European Court of Justice due to American mass surveillance.
Despite legal challenges against Privacy Shield and a very lukewarm response from the EU's Article 29 Working Party (made up of member states' data protection authorities), EU justice commissioner Věra Jourová and US secretary of commerce Wilbur Ross put out a joint statement at the end of the review that painted it in a positive light.
"This first annual review marks an important milestone for the Framework and for US‑EU cooperation on data protection issues," they said on Thursday. "The Privacy Shield raised the bar for transatlantic data protection by ensuring that participating companies and relevant public authorities provide a high level of data protection for EU individuals."
As for the slew of complaints leveled at the program – including the fact that the safeguards written in are largely worthless and the American Ombudsman tasked with reviewing abuses is toothless...
"Officials noted that this input greatly informed the review process and will lead to continued improvements to the functioning of the program," said the statement.
It went on: "The review examined all aspects of the administration and enforcement of the Privacy Shield, including commercial and national-security related matters, as well as broader US legal developments."
The short statement concluded: "The United States and the European Union share an interest in the Framework's success and remain committed to continued collaboration to ensure it functions as intended."
Behind the scenes, however, European officials remain unhappy about the US stalling on making changes that bring it in line with data protection laws – basically promising not to force companies to hand over their data secretly to the intelligence services. And both sides recognize that the agreement is not being relied upon by many companies while its future remains uncertain. And corporate take-up will be the surest test of Privacy Shield's success or failure.
There is also the small matter that the issue of US mass surveillance is still under consideration by the European courts. Politicians can only stall for so long.
And then there is the Article 29 Working Party, which agreed not to sue and question the agreement's legality until it had a chance to look at proposed reforms following this first review. With the review over, that group will now start looking seriously at Privacy Shield and won't feel constrained to let it run its course for another year if it is not happy with the overall approach. ®