A long negotiation process and a controversial result lead to the Privacy Shield, in charge of data protection of European citizens after data transfers between European to American companies across the Atlantic ocean. The new agreement, which replaces the old Safe Harbor, should in theory assure an equivalent protection concerning the right of a private life for European consumers, even on the United States territory.
Adopted at the end of last December, the final agreement is already in danger after the signature by the new American President of an unfriendly decree for foreign citizens. Section 14 of the Executive Order is specifically focused on the data protection level for non American citizens: according to the text, these citizens, including European citizens who should be protected through the Privacy Shield – in theory: « Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information ».

Despite the call of the European Parliament for sanctions against United States and for the end of the Privacy Shield, the European Commission tried to soothe the polemic. Commissioners argued this measure will not have any consequences on the agreement, because it is not related to the Privacy Act. This act only concerns data collected exclusively by American governmental agencies on the US-territories – companies are not affected -, that means Trump’s decree has an impact on the Privacy Act at first, but contrary to what the European Commission claimed, the Privacy Shield will be impacted too: thus, this agreement was approved specifically thanks to strong restrictions about American agencies’ surveillance on European data. In this way, Trump’s decree does have an impact on the Privacy Shield and weaken data protection for European citizens after their transfer. Just as the Safe Harbor before it, the Privacy Shield is becoming more and more close from an invalidation before the European Court of Justice.
Moreover, another lack can be pointed out: data collected of European citizens on the US-territory are not protected by the Privacy Shield: the Commission is hiding consequences of the decree behind this shade. However, the issue of safeguards for American governmental agencies’ access to data should be covered by the Privacy Shield, and with the decree, these measures are now broken.

To find out more:

Privacy Shield overview:
https://www.privacyshield.gov/Program-Overview

Working Document 01/2016 on the justification of interferences with the fundamental rights to privacy and data protection through surveillance measures when transferring personal data (European Essential Guarantee), 13th April 2016:
http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2016/wp237_en.pdf

Opinion 01/2016 on the EU – U.S. Privacy Shield draft adequacy decision, 13th April 2016:
http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2016/wp238_en.pdf

Emmanuelle Gris
Margaux Etienne