On 6 April 2017, the European Parliament (EP) voted a motion for a resolution on the adequacy of the protection afforded by the EU-US Privacy Shield. The scheme gives the United States a unique arrangement for the transfer of personal data from the European Union to the United States. The Privacy Shield replaced the Safe Harbor decision, which used to serve the same purpose, until the Court of Justice of the European Union (CJEU) invalidated it in the Schrems case in 2015.
The EU-US Privacy Shield has been showered with criticism from the moment the details of the new(ish) rules were published. However, the European Commission (EC) proposed and adopted it anyway.
The Article 29 Data Protection Working Party of national data protection authorities and the European Union Data Protection Supervisor (EDPS) issued opinions expressing numerous concerns regarding the level of protection offered by the Privacy Shield and its compliance with the right to the protection of personal data and the right to privacy. Moreover, the EP adopted a similar resolution in May 2016, when the draft decision on Privacy Shield was adopted, but its recommendations seemed to be ignored.
Today, the EP has adopted a new resolution which regards many of the Privacy Shield’s provisions as inadequate. The resolution lists several problems in the agreement and calls on the Commission to thoroughly examine them in its first annual review in September 2017.
Among the issues listed in the resolution, the EP raises awareness about the lack of specific rules on automated decisions and of a general right to object and the need for stricter guarantees on the independence and powers of the Ombuds mechanism, the current non-quorate status of the Privacy and Civil Liberties Oversight board, as well as the lack of concrete assurances that the US agencies have established safeguards against mass and indiscriminate collection of personal data (bulk collection). Another flaw mentioned in the Parliament’s criticism is the fact that the Privacy Shield is based on voluntary self-certification and therefore applies only to US organisations which have voluntarily signed up to it, which means that many companies are not covered by the scheme.
Furthermore, the resolution asks the Commission to seek (long overdue) clarification on the legal status of the “written assurances provided” made by the US and to make sure the commitments taken under the new decision will be kept by the new US administration. Furthermore, the resolution calls on the European data protection authorities (DPAs) to monitor the functioning of Privacy Shield and to exercise their powers to suspend or ban data transfers “if they consider that the fundamental rights to privacy and the protection of personal data of the Union’s data subjects are not ensured.”
Unsurprisingly, the Parliament “with concern” the dismantling of the FCC’s privacy rules. Last but not least, the EP calls on the Commission to take all the necessary measures for the Privacy Shield to comply with the General Data Protection Regulation (GDPR) and with the Charter of Fundamental Rights of the European Union.
The Privacy Shield has already been brought to the CJEU by two advocacy groups: EDRi member Digital Rights Ireland (case number T-670/16) and EDRi observer La Quadrature du Net (case number T-738/16). If the CJEU applies the same reasoning as for the former Safe Harbour agreement, the Privacy Shield will need a replacement very soon. It is to be hoped that the EC is preparing the contingency plan to resolve this situation as soon as possible and not wait (again, like it did with Safe Harbour and the two Data Retention rulings) until it is forced to act by the Court of Justice. If the Commission does this then maybe, finally, fundamental rights can be protected on both sides of the Atlantic and both citizens and businesses can enjoy the benefits of increased trust in the online environment.
Civil society letter: Without reforms in US surveillance laws, the Privacy Shield must be suspended (02.03.2017)
Privacy Shield: Privacy Sham (12.07.2016)
European Parliament confirms that “Privacy Shield” is inadequate (26.05.2016)