Facebook joins the EU-US Privacy Shield and Shrems takes aim again…

Privacy Shield

Parts of social media giant Facebook have signed up to the EU-US Privacy Shield, a new EU data pact that allows US technology companies to transfer EU citizens’ personal information across the Atlantic.

Two areas of Facebook’s business are covered by the Privacy Shield Principles; Workplace by Facebook, a brand new company-specific version of Facebook launched earlier this month that “allows people to more effectively collaborate and share information at work”, and its Ads and Measurement products.

So, what is the Privacy Shield?

The EU-US Privacy Shield Framework:

…was designed by the US Department of Commerce and European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce. On July 12, the European Commission deemed the Privacy Shield Framework adequate to enable data transfers under EU law

Privacy Shield is designed to fill the gap left by the controversial ‘Safe Harbor’ framework.

Why was Safe Harbour replaced?

When Austrian law student Max Schrems complained about the mass transfer of Facebook Ireland’s users’ data to the US National Security Agency (NSA), Ireland’s Data Commissioner ruled that Facebook’s transfer of data fell within the terms of an EU-US data-sharing agreement made in July 2000 called ‘Safe Harbour’.

The High Court in Ireland referred a data-sharing case to the European Court of Justice (ECJ) and the ECJ subsequently ruled the Safe Harbour agreement invalid.

That was just over a year ago and, as we wrote at the time:

Large tech firms including Apple, Facebook and Twitter are likely to feel the impact of the decision immediately, as it appears they must now abide by the individual data privacy regulations in each of the member states of the European Union.

The European Commission and the US Government quickly began talks and reached an agreement on the new framework – the Privacy Shield – in February 2016.

The EU-US Privacy Shield is launched

In April 2016, an EU data protection working party welcomed “the significant improvements brought by the Privacy Shield compared to the Safe Harbour decision”, but, at the same time, raised three concerns:

  1. Organisations were not obliged to delete data they no longer need
  2. The collection of massive and indiscriminate data had not been fully excluded
  3. The Ombudsman may not have sufficient powers to function effectively

Then, in May 2016, the European Data Protection Supervisor published his opinion on the EU-US Privacy Shield, saying:

I appreciate the efforts made to develop a solution to replace Safe Harbour but the Privacy Shield as it stands is not robust enough to withstand future legal scrutiny before the Court.

Nevertheless, the framework was approved and the European Commission formally launched the EU-US Privacy Shield on 12 July 2016. A press release discussing the key principles of the framework noted under the heading ‘Clear safeguards and transparency obligations on US government access’ that:

The US has ruled out indiscriminate mass surveillance on personal data transferred to the US under the EU-US Privacy Shield arrangement.

What next?

According to The Telegraph, Mr Schrems is not planning any immediate challenge. He does, however, feel:

The Privacy Shield is likely to be thrown out on the same grounds as Safe Harbour once an expected legal challenge to it is mounted.

So is that it from Mr Schrems? It’s clear from his @maxschrems Twitter account that he plans to fully test the new framework … starting with a Google access request:

Which was subsequently denied:

And then a test of the Ombudsman’s powers:

But it turns out it doesn’t exist yet:

Ho, hum …