The European Commission issued a draft adequacy decision to EU members as a first step to ensuring that transatlantic data flows continue unabated. The move follows an EU court ruling that determined the U.S. was not adequately protecting the privacy of EU citizens' personal data.
The court case stemmed in part from classified documents leaked by former National Security Agency contractor Edward Snowden.
"The Commission has carefully analyzed U.S. law and practice," the EC said in its draft, concluding that “the United States ensures an adequate level of protection for personal data transferred under the EU-U.S. Privacy Shield from the Union to self-certified organizations in the United States."
The EC findings specifically note that the Privacy Shield is based on self-certification by U.S. companies that commit to abiding by EU privacy requirements when they're handling private information of European citizens. U.S. organizations have to commit to a series of privacy principles, which include notice, security, data integrity and accountability.
Along with the draft adequacy decision, the European Justice Minister also released the full details of the Privacy Shield negotiated earlier this year between the U.S. government and the European Commission.
Now that the EC has presented the Privacy Shield and its adequacy proposal to the EU as a whole, there are some additional steps, any of which could derail the whole thing. First is an opinion by the member states data protection authorities and the European data protection supervisor. Any of the authorities in the member states can object to the Privacy Shield proposal and request changes.
The data protection authorities are operating under provisions of what the EU calls an Article 29 Working Party. Next is approval from the Article 31 Committee, which is comprised of representatives of each of the EU member states. The European Parliament can change or withdraw the adequacy provisions at any time.
Meanwhile, the U.S. must commit to protecting European data, including protection from indiscriminate or mass surveillance. The U.S. must also provide redress procedures, including an ombudsman. Fortunately, those redress procedures are in the works and will probably be in place before the EU finishes its approval process.
The Privacy Shield and the EU process for agreeing that the US provides adequate protection for the private data of Europeans is a major issue in the transfer of data by U.S. companies between the two continents. The lack of an existing agreement and the actions of some U.S. agencies have caused deep distrust of the U.S. government and its motives by Europeans and their government.