Scrutiny of EU-US Privacy Shield
On 12 June 2018, the Civil Liberties, Justice and Home Affairs Committee (the ‘Committee’) of the European Parliament passed a Resolution, with a vote of 29 votes in favour, 25 opposed and 3 abstentions, calling on the European Commission to suspend the EU-US Privacy Shield arrangement (‘Privacy Shield’).
The Resolution calls for the international data transfer framework to be suspended unless the US demonstrates compliance by 1st September 2018, since it ‘fails to provide enough data protection for EU citizens.
The Privacy Shield, first adopted in July 2016, replaced the Safe Harbor arrangement, which was deemed invalid by the Court of Justice of the European Union in October 2015. The Privacy Shield acts as a mechanism to allow the sharing of EU citizens’ personal data with US companies certified under the Privacy Shield arrangement, as the self-certification is deemed to demonstrate that the recipient entity will protect the personal data in accordance with the fundamental rights of the EU data subjects.
The framework is reviewed on an annual basis. On 18 October 2017, the European Commission published its first annual report after having gathered information and feedback on the implementation, function and enforcement of the Privacy Shield from relevant stakeholders. The report suggested that, whilst the Privacy Shield could benefit from improvements in certain areas, the framework nonetheless ensures an adequate level of data protection to EU data subjects.
The Committee, however, has taken a more pessimistic view. It has expressed particular concern about the failure of US authorities to ensure that certified companies are monitored for compliance with the Privacy Shield Principles. The Resolution stresses that a ‘lack of sufficient oversight and supervision after self-certification risks to lead to enforcement gaps.’ The Civil Liberties Committee has therefore called on US authorities to ensure that any revelations as to organisations failing to adhere to the Privacy Shield regime are investigated ‘without delay’. Further, should a company be found to have misused personal data, that company should be removed from the Privacy Shield list.
The Resolution calls on the European Commission to ensure that the framework is compliant with the GDPR in order to ensure that no unfair competitive advantage for US companies can be derived from application of the Privacy Shield.
MEPs also raised concerns in relation to the recent adoption of the Clarifying Lawful Overseas Use of Data Act (‘CLOUD Act’), which permits US law enforcement authorities to access personal data stored abroad. MEPs noted that this US law could conflict with EU data protection laws and may have significant implications for EU residents.
The Resolution also seeks to restart discussions between the Commission and US authorities to address the issues and concerns identified by reports produced by both the Commission and the WP29.
The full Parliament is expected to vote on the text in July 2018 prior to a plenary debate with the European Commission. We anticipate that the Parliament will be adopting the Motion for Resolution by the Committee, reiterating its ongoing commitment to protect EU citizen’s data. The European Commission is scheduled to initiate the discussions with the US authorities for the second annual review of the EU-US Privacy Shield in September 2018.