EU Privacy Shield Status Update
While it’s making few headlines, the European Commission is still working to finalize Privacy Shield, and it’s even possible that Privacy Shield will pass a key hurdle by the end of this month. The Commission is still scrambling to address the concerns raised by the Article 29 Working Party and the European Data Protection Supervisor concerning the Privacy Shield arrangements that the Commission had negotiated with the US. (The European Parliament has also criticized Privacy Shield.) Some of the concerns raised so far have made it necessary for the Commission to negotiate further with the U.S. State Department. And now the Commission is shortly to present a proposed final version of Privacy Shield to the Article 31 Committee, which represents the Member States.
If the Art. 31 Committee agrees with the Commission, Privacy Shield will be submitted to the College of the Commission for formal adoption. If the Art. 31 Committee does not endorse the Privacy Shield arrangements, the Commission will need to consider further how to proceed. Also, the Council or Commission could intervene as permitted by the comitology procedure (which could result in more pressure on the Commission to negotiate further with the US).
News sources have speculated as to the status of the Article 31 negotiations (see here and here (scroll down)), but given the lack of specific information from the Commission on this point, it’s tough to tell what the real status is. In any event, while we expect to have some more concrete news by the end of June as to the progress of Privacy Shield, it is unlikely that Privacy Shield will be formally adopted by then.
And it’s important to keep in mind that, as soon as Privacy Shield limps over the finish line (assuming it doesn’t succumb to death by a thousand objections), it will almost certainly face immediate litigation seeking to have the Court of Justice of the EU invalidate it.
PS - for those who've been wondering, Brexit (should it occur) is unlikely to result in the UK taking a divergent path from the EU on general data protection rules.