Making Cloud SLAs readily usable in the EU private sector

EU privacy regulators has approved EU-US Privacy Shield

The Article 29 Working Party (WP29) of European privacy regulators has approved the entry into force from 1 August 2016 of the EU-U.S. Privacy Shield for the transfer of data related to EU citizens to the United States.

The new data transfer agreement was officially adopted by the European Commission, it replaces the Safe Harbour agreement considered by the Court of the European Union, in October 2015, judged not able to protect Europeans personal data form the type of U.S. surveillance practices.

US companies that need to transfer the personal data of European customers across the Atlantic can now enroll in a new framework to govern the transfer of such data, with the so-called EU-US Privacy Shield and running today.


Privacy Shield Framework

The Privacy Shields introduces some additional protection measures for citizens and businesses that grant (directly or indirectly) their data to US persons (social networks, cloud operators, Web companies, e-commerce portals), in particular:

  • The US companies who want to import the data from being a Europe must assume specific obligations in relation to the treatment of data and to respect the rights of those involved. The Federal Trade Commission will oversee compliance with these obligations. Moreover, in some cases the companies in question would undertake to act in accordance with the decisions of the European anti-trust authorities;
  • The United States has assured that will be provided clear limits to the possibility for law enforcement authorities access to personal data: there will be no indiscriminate monitoring activities and not proportional;
  • The European citizens who consider their rights violated in the United States will have different means of protection: the possibility for the European authorities to bring cases to the Federal Trade Commission, or contact an Ombudsperson created specifically for violations by the authorities of intelligence.


The European Commission has also made public the legal texts related to the Privacy Shield agreement, together with a guide for citizens - in order to provide information to EU consumers in detail how to request further clarification with respect to the processing of their data part of US companies.


The concerns of the Commission

However, the WP29 remains critical of Privacy Shield, despite what you see as some improvements over Safe Harbor.

Specifically, the WP29 members are still concerned about the:

  • Lack of specific rules on automated decisions.
  • Lack of a general right to object.
  • Applicability of Privacy Shield to processors.
  • Independence and powers of the ombudsman mechanism.
  • Lack of concrete assurances that bulk data collection does not take place.


The EU has claimed the new agreement is fundamentally different than the first Safe Harbor self-certification, signaling the new role it creates a US dedicated ombudsman to handle complaints from EU citizens, as well as indicating the various guarantees provided by the United States government limits on the mass collection of data for purposes of national security.

"The EU-U.S. Privacy Shield protects the fundamental rights of Europeans and ensures legal certainty for businesses, including European companies, transferring personal data to the U.S," said Věra Jourová, the EU's Commissioner for Justice, Consumers and Gender Equality, in a statement.


Next steps

Now WP29 announced its intention to test for a year the Privacy Shield before expressing a new assessment on it.

After twelve months of the regulation will be subject to a formal review, after which it can be challenged on points with the proposed changes, but also approved en bloc.