The Privacy Shield, proposed this past February and greeted with cautious optimism by European and U.S. regulators alike as a more robust “replacement” for the invalidated Safe Harbor framework, appears to be suffering death by a thousand paper cuts. Today’s European Parliament resolution (the “Resolution”) delivered the latest blow. The Resolution recommends that the European Commission continue to negotiate the terms of the Privacy Shield with U.S. officials to address certain “deficiencies.” Although the Resolution is non-binding, it is highly influential. Parliament’s major concerns include:
- U.S. government surveillance. Parliament does not believe that the Privacy Shield adequately addresses the ability of U.S. law enforcement to access personal data transferred from the EU.
- Bulk data collection. Parliament is concerned that the Privacy Shield will not prevent bulk data collection that may violate the “necessity” and “proportionality” requirements set forth in the EU Charter of Fundamental Rights.
- U.S. Ombudsperson. The Privacy Shield calls for the appointment of a U.S. Ombudsperson who would work closely with the U.S. State Department and other agencies to coordinate responses to complaints regarding the U.S. government’s use of EU citizens’ personal data. Parliament welcomes the establishment of this role, but it does not believe the position will be “sufficiently independent” or “vested with adequate powers to effectively exercise and enforce its duty.”
- Recourse. In addition to the appointment of a U.S. Ombudsperson, the Privacy Shield contemplates a system of binding arbitration for complaints and disputes. An arbitrator would be selected from a pool of 20 arbitrators designated by the U.S. Department of Commerce and the European Commission. Arbitrators would have the authority to provide individual-specific, nonmonetary equitable relief to complainants. Parliament finds these recourse mechanisms to be too complex and has urged the Commission and U.S. regulators to make the process more “user-friendly and effective.”
- Periodic reviews. Parliament also called on the Commission to conduct periodic “robust reviews” of the Privacy Shield adequacy decision, particularly in light of the recently passed General Data Protection Regulation, which takes effect in May 2018 and will impose significant new data privacy and security requirements on U.S. companies doing business in Europe.
Parliament’s Resolution comes on the heels of a number of similar concerns voiced by other European regulatory bodies, including:
- Article 29 Working Party (WP29). On April 13, the WP29, an influential group of European data protection authorities (DPAs), issued a nonbinding opinion criticizing certain elements of the Privacy Shield. Today’s Resolution expresses Parliament’s support for that opinion, calling on the Commission to “implement fully” the WP29’s recommendations. For more analysis of the WP29’s opinion, see our previous post.
- Article 31 Committee. At a May 19 meeting, the Article 31 Committee – composed of EU member state representatives with veto power – announced that it could not reach an agreement on the adequacy of the Privacy Shield, stating that the Committee needed more time to review and reach a consensus.
- European Data Protection Supervisor (EDPS). This past Tuesday (May 24), EDPS Givoanni Buttarelli announced that he will issue an opinion on May 30 listing his “serious concerns” with the Privacy Shield. Signaling that his opinion will be “in full synergy” with the WP29 opinion, Buttarelli distinguished his view as more “future-oriented” and concerned with the Privacy Shield’s impact on other legal instruments. Referencing the recently passed GDPR, Buttarelli emphasized that “we cannot ask companies to change their privacy policies every year” and underscored his focus on “potential solutions” that companies of all sizes can implement to cover their transatlantic data transfers. Recognizing that large companies such as Google, Facebook and Amazon can rely on binding corporate rules (BCRs) and model clauses, Buttarelli insisted that many hundreds of smaller companies need a better solution.
With the Privacy Shield in limbo, the alternative data transfer mechanisms available to companies may be dwindling. Just yesterday, on May 25, it was reported that the Irish Data Protection Commissioner (DPC) plans to refer to the Court of Justice of the European Union (CJEU) a case concerning the validity of Facebook’s use of model clauses as an alternative transatlantic data transfer mechanism. This follows the Irish DPC’s referral of the landmark Schrems case to the CJEU, which resulted in last year’s CJEU opinion invalidating the Safe Harbor framework. As in the Schrems case, at issue is the potential for U.S. government surveillance of European citizens’ personal data, which, it is argued, is not prevented by model clauses.
If the case is referred to the CJEU and model clauses also are found to be invalid, in the absence of the Privacy Shield or other new framework, many companies may have no practical alternative for transferring personal data from the EU to the U.S. in a lawful manner. The remaining established transfer mechanism, BCRs, can be very time-consuming and costly to implement and apply only to transfers of data within a corporate group. The Irish DPC’s announcement echoes similar concerns brought last October by a group of German DPAs who called into question the validity of both model clauses and BCRs, as well as signaled their intent to audit personal data transfers based on model clauses.
We will continue to report and provide analysis on the ever-evolving transatlantic data transfer landscape. Please see our previous posts on the Privacy Shield, the invalidation of the Safe Harbor framework, and model clauses for more background information.