EU Lawmakers Question U.S. Data Transfer Program Viability

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

Any weakening of U.S. privacy safeguards brings into question the viability of the European Union-U.S. Privacy Shield data transfer program relied on by hundreds of U.S. companies, EU lawmakers said in a resolution adopted April 6.

There are “great concerns” about broadening the authority of the U.S. National Security Agency to share data it collects with other law enforcement agencies, the resolution said. EU lawmakers are also “alarmed” about reports of surveillance of emails by an unnamed “US electronic communications service provider,” it said.

The prospect that EU concerns over U.S. government surveillance might bring an end to the Privacy Shield is of great concern to the hundreds of U.S. companies and thousands of EU businesses that rely on the program to ease the legal transfer of personal data from the EU to the U.S.

The Privacy Shield, which is administered by the U.S. Department of Commerce, allows companies that self-declare their compliance with EU-approved privacy and security principles to legally transfer personal data from the EU to the U.S. Nearly 2,000 U.S. companies are certified under the scheme, including Alphabet Inc.s Google and Microsoft Corp.

Quirine Tjeenk Willink, a data protection partner with Bird & Bird LLP in The Hague, the Netherlands, told Bloomberg BNA April 6 that companies want the system to survive because the economic significance of trans-Atlantic data flows makes the Privacy Shield “too important to fail.”

Privacy Shield Review

The EU should take U.S. commitment to privacy protection into account when it reviews whether the Privacy Shield is adequate to protect personal data transferred to the U.S., the resolution said. U.S. and EU officials have committed to undertaking the first annual review of the program in September. The resolution is nonbinding but will serve as a basis for setting the September review criteria.

In January, the outgoing Obama administration gave greater powers to the NSA to share collected data with other agencies. That development demonstrates why the upcoming Privacy Shield review should “ensure that the Privacy Shield provides a protection of personal data” in line with EU privacy rights, Claude Moraes, a British center-left lawmaker who chairs the European Parliament’s Civil Liberties, Justice and Home Affairs committee (LIBE), which prepared the resolution, told Bloomberg BNA April 6.

Trump administration actions have also caused worry. For example, the recent rescission of the U.S. Federal Communications Commission’s rule requiring internet service providers to get customer consent to use their web-browsing history for marketing may put the Privacy Shield in peril, EU lawmakers said.

“The direction that the Trump administration is taking on data protection issues is very concerning” Moraes said.

The European Commission, the EU’s executive arm, has been reassured by the Trump administration that it understands the importance of the Privacy Shield, European Commission privacy spokesman Christian Wigand told Bloomberg BNA April 6.

Redress Issues

Redress mechanisms— a crucial part of the Privacy Shield—were included as a safeguard against pressure to reduce individual privacy protections in the face of desires to address terrorism, Willink said.

But the resolution said the Privacy Shield doesn’t fully provide redress for EU citizens to challenge alleged U.S. government misuse of information.

The EU’s top data protection official, EU Justice Commissioner Vera Jourova, speaking during an April 5 parliamentary debate on the Privacy Shield ahead of the April 6 vote, said the September review of the framework “must not be just another report,” and would be an “honest and true reflection of the situation.”

The commission’s three priorities for the review are: to assess the U.S. privacy legal framework; to check that U.S. Privacy Shield administrators have the capacity to oversee the scheme; and to examine how individuals have made use of the Privacy Shield’s redress mechanisms, Jourova said.

The Article 29 Working Party of privacy officials from the 28 EU countries said in an April 6 statement that, during the review, it would be “essential that U.S. authorities provide substance and demonstrate to EU stakeholders that the system is in place and works effectively.”

To contact the reporter on this story: Stephen Gardner in Brussels at

To contact the editor responsible for this story: Donald G. Aplin at

For More Information

The resolution is available at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security