EU-U.S. Privacy Shield Under Fire

Dr. Sebastian Mueller
King & Spalding
Contact
LinkedIn
Facebook
X
Send
Embed

On June 12, 2018, following its extraordinary meeting the day before in Strasbourg, the European Parliament’s Civil Liberties, Justice and Home Affairs Committee (“LIBE”) called on the European Commission (“Commission”) to suspend the EU-U.S. Privacy Shield (“Privacy Shield”) unless the U.S. complied with its terms by September 1, 2018 (the Press Release can be found here). LIBE’s chair, Claude Moraes, found that the Privacy Shield in its current form no longer provides the adequate level of protection required by EU data protection law and the EU Charter.

The Privacy Shield was designed by the U.S. Department of Commerce (“DOC”) and the EU Commission to provide companies with a mechanism to comply with European data protection requirements when transferring personal data from the EU to the U.S. (prior K&S reporting on the Privacy Shield can be found here). A transfer of personal data from the EU to Privacy Shield-certified companies in the U.S. is considered “adequate” by the Commission and, therefore, allowed under EU privacy laws without further notification requirements. The Privacy Shield, which has been operational since August 1, 2016, replaced the previous Safe Harbor Agreement, which was invalidated by the European Court of Justice in the Schrems case in October 2015 (past reporting by K&S can be found here).

To regularly verify that the findings in the Commission’s adequacy decision remain factually and legally justified, the Privacy Shield framework is subject to an annual evaluation by EU and U.S. representatives (“Annual Review”). In September 2017, the Privacy Shield survived its first Annual Review (K&S reported here). Whilst the Commission identified room for improvement in some areas in its 2017 report, it found that, overall, U.S. authorities complied with their obligations under Privacy Shield and the mechanism could therefore be upheld. In the light of LIBE’s harsh criticism of recent developments in the U.S., however, the Commission may take a closer look in the next Annual Review, due in fall 2018.

In the draft of the “European Parliament resolution on the adequacy of the protection afforded by the EU-U.S. Privacy Shield” dated April 4, 2018 (“Resolution”), which was on LIBE’s agenda at the meeting on June 11, 2018 (the final version of the resolution is not yet published), LIBE addressed issues in the implementation of Privacy Shield in the areas “Institutional/Nominations”; “Commercial”; and “Law Enforcement and National Security”:

  • Institutional/Nominations: LIBE noted that, to date, the U.S. has not yet appointed representatives for all positions that are required under the Privacy Shield for an effective enforcement of its principles. LIBE criticized, amongst other matters, the U.S.’s delay in appointing a permanent Ombudsperson for responding to EU citizens’ complaints over how their personal data is handled under Privacy Shield, and that three of the five seats of the Federal Trade Commission, the enforcing agency of the Privacy Shield principles by the US organizations, were still vacant.
  • Commercial Issues: LIBE further complained about companies making false certification claims under the Privacy Shield (an issue that was previously addressed in the 2017 report) and expressed its concerns about a lack of guarantees for automated decision making/profiling. In view of the recent revelations of misuse of personal data by companies certified under the Privacy Shield, LIBE called on the competent U.S. authorities “to act upon such revelations without delay,” and if needed, “to remove such companies from the Privacy Shield list.” It also called on the competent EU data protection authorities “to investigate such revelations and, if appropriate, suspend or prohibit data transfers under the Privacy Shield.”
  • Law Enforcement and National Security Issues: The LIBE expressed its “strong concerns” regarding the recent adoption of the Clarifying Lawful Overseas Use of Data Act or CLOUD Act, which expanded the abilities of American and foreign law enforcement to target and access people’s data across international borders without making use of the instrument of Mutual Legal Assistance (“MLAT”) instruments. According to the Press Release, the committee members are concerned that the new law could have serious implications for the EU and conflict with EU data protection laws.

The Resolution was passed by a thin majority vote of 29 votes to 25, with 3 abstentions. The Resolution is not legally binding. However, in the light of the Resolution and the important role data privacy plays in the EU in general, the Commission is expected to take seriously the issues LIBE addressed in the Resolution.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding
King & Spalding
Contact
more
less

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide