EU Lawmakers Question Data Transfer Program Ahead of Review

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

The European Union-U.S. Privacy Shield data transfer pact relied on by thousands of companies has flaws that must be addressed during the first annual review of the program, EU lawmakers said in a draft committee resolution narrowly adopted March 23.

The European Parliament Civil Liberties, Justice and Home Affairs Committee (LIBE) resolution said the review of the program scheduled for this summer should focus on continued U.S. surveillance of foreigners abroad and the viability of redress mechanisms for EU citizens over alleged U.S. government misuse of data. Without the Privacy Shield, hundreds of U.S. companies and thousands of EU businesses would be forced to use more cumbersome means to legally transfer EU citizens’ personal data to the U.S.

The resolution said the review of the program scheduled for this summer should focus on continued U.S. surveillance of foreigners abroad and the viability of redress mechanisms for EU citizens over alleged U.S. government misuse of data. Without the Privacy Shield, hundreds of U.S. companies and thousands of EU businesses would be forced to use more cumbersome means to legally transfer EU citizens’ personal data to the U.S.

The Privacy Shield, which is administered by the U.S. Department of Commerce, allows companies that self-declare their compliance with EU-approved privacy and security principles to transfer personal data from the EU to the U.S. Over 1,800 U.S. companies have registered for the program, including Microsoft Corp., Facebook Inc. and Alphabet Inc.'s Google.

Government Surveillance Concerns

Claude Moraes, the committee’s chair and resolution’s sponsor, told Bloomberg BNA March 23 that EU lawmakers are also concerned about data retention provisions in the Privacy Shield agreement. Additionally, the Privacy Shield doesn’t prevent U.S. authorities from carrying out “the bulk collection of personal data for national security purposes,” he said.

Lawmakers are concerned about the practical application of the Privacy Shield’s redress mechanisms under which EU citizens are able to challenge privacy violations, Moraes said. The draft resolution also called into question the “effective independent oversight” of the program by a U.S.-based ombudsman, he said.

EU privacy advocates and some lawmakers have been concerned that President Donald Trump may take action that undercuts the Privacy Shield. But government officials on both sides of the Atlantic have indicated their commitment to preserving business data flows between the EU and U.S.

The LIBE resolution is provisional until confirmed by a vote of the full European Parliament. LIBE backed the resolution in a 29-25 vote, with one abstention.

Summer Review

The European Commission, the EU’s executive arm, is obligated to review the Privacy Shield annually. The pact became effective Aug. 1, 2016.

EC spokesman Christian Wigand told Bloomberg BNA March 23 that the first review would take place over the summer but was unable to specify when the results of the review would be published.

To contact the reporter on this story: Stephen Gardner in Brussels at correspondents@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

The draft resolution, as introduced, is available at http://src.bna.com/nia.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security