At a recent conference in Amsterdam, the US Federal Trade Commissioner (FTC), Julie Brill, stated that the Schrems decision “cystallizes what has been clear, or should have been clear, for a long time about privacy in Europe: it is a fundamental right that Europeans and their Court take very seriously”.
However, the FTC warned of the “important protections” lost through the CJEU’s invalidation of the Safe Harbour framework, in particular the lack of transparency now surrounding transatlantic transfers. Whilst the US government published a list of every company that filed its Safe Harbour self-certification, some of the alternatives to Safe Harbour do not offer the same level of transparency. For instance, model contracts might require some companies to file copies of their contracts with a data protection authority, but this is not the case in every Member State (e.g. there is no such requirement in Ireland).
In addition, although companies with approved binding corporate rules are listed on the European Commission’s website, the details of the rules that each company creates for itself are not public. She also stated that FTC enforcement of US companies’ transatlantic privacy commitments is now much more difficult due to the absence of public representations to consumers by US companies.
The FTC welcomes a new data transfer mechanism that strengthens the privacy protections that were in the Safe Harbour principles, and advocates a shift in the way the US has framed privacy, noting that it has largely separated discussions about data practices of commercial firms from the data practices of government.
The speech is available here.