Privacy Shield Needs Improvements: European Parliament

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

May 26 — The European Parliament May 26 dealt another blow to the credibility of the European Commission's draft decision approving the European Union-U.S. Privacy Shield, by backing a resolution that said the commission should renegotiate with the U.S. to seek improvements.

The parliament's resolution, adopted in a 511-119 vote with 31 abstentions, is nonbinding, but it reinforces the Art. 29 Working Party of EU data protection officials' April 13 opinion that also criticized the Privacy Shield (15 PVLR 825, 4/18/16), and comes ahead of a European Data Protection Supervisor opinion, to be published May 30, that will likely say that the Privacy Shield has shortcomings.

The European Parliament resolution largely repeated criticisms of the Privacy Shield made by the Art. 29 Working Party, including that proposed redress mechanisms were overly complex, and that the legal status of assurances given by the U.S. about limitations on government surveillance of data was unclear.

The European Commission, the EU's executive arm, told Bloomberg BNA May 26 that it was working to adjust the draft Privacy Shield decision in the face of criticism from the Art. 29 Working Party and the European Parliament.

Laura De Boel, senior associate with Wilson Sonsini Goodrich & Rosati in Brussels, told Bloomberg BNA May 26 that “the European Commission does not need the Working Party's or the Parliament's approval” to proceed with Privacy Shield. “However, their criticism has an important political impact and is stalling the adoption process.”

“It is not clear when the Privacy Shield will actually be available to companies,” De Boel said.

Criticism Builds

The commission Feb. 29 published a draft decision that approved the Privacy Shield arrangement as being adequate to protect the personal data of EU citizens when transferred to the U.S. (15 PVLR 462, 3/7/16). The decision was the result of months of negotiations triggered by the invalidation of the U.S.-EU Safe Harbor framework, which had been relied on by over 4,400 U.S. companies and thousands of EU companies. The ECJ invalidated the Safe Harbor in October 2015 on the basis that it was inadequate to protect the privacy rights of EU citizens, in particular in the face of possible law enforcement access to their data in the U.S. (14 PVLR 1825, 10/12/15).

The parliament resolution said although Privacy Shield contained “substantial improvements” compared to Safe Harbor, the commission should “continue the dialogue with the U.S. administration in order to negotiate further improvements to the Privacy Shield arrangement in the light of its current deficiencies.” In particular, data transferred under Privacy Shield could still be subject to bulk collection by U.S. authorities in some circumstances, and U.S. safeguards limiting bulk collection do “not meet the stricter criteria of necessity and proportionality” contained in the EU Charter of Fundamental Rights, the resolution said.

An ombudsman in the U.S. State Department proposed under Privacy Shield to investigate EU citizens' complaints related to surveillance of their data transferred to the U.S. (15 PVLR 269, 2/8/16) was “not sufficiently independent and is not vested with adequate powers to effectively exercise and enforce its duty,” the resolution said.

Commission Seeking Improvements

The commission said that it would amend the Feb. 29 decision approving Privacy Shield in line with the Art. 29 Working Party opinion and the European Parliament resolution, which contained “useful recommendations.”

The commission added it was “in discussions” with the U.S. on points that “can only be addressed in agreement with the U.S.”

Once an amended version of the decision is ready, it will be put before a regulatory committee of EU member country representatives, which will provide an opinion. If that opinion is favorable, the commission can adopt the Privacy Shield decision.

The commission said it aimed to conclude the approval of Privacy Shield by mid-July.

Viviane Reding, a center-right member of the European Parliament and the former EU commissioner responsible for data protection, said May 26 that the commission's final Privacy Shield decision should be “rock-solid” and “together with our American counterparts, further work is needed to turn written assurances into legal obligations.”

“The problem is, has always been, and remains the use of national security as a blanket exemption” to privacy safeguards, Reding said.

German center-right lawmaker Axel Voss said the negative opinions shouldn't hold up the finalization of Privacy Shield by the European Commission. Annual reviews of Privacy Shield would “ensure a permanent improvement” of the mechanism, Voss said.

German Green lawmaker Jan Philipp Albrecht said May 26 that the Privacy Shield “does not seem like a viable long-term solution.” “It seems highly questionable that this new framework addresses the concerns outlined by the European Court of Justice in ruling the Safe Harbor decision illegal,” Albrecht said.

To contact the reporter on this story: Stephen Gardner in Brussels at correspondents@bna.com

To contact the editor responsible for this story: Jimmy H. Koo at jkoo@bna.com

For More Information

The European Parliament's announcement of the resolution is available at http://src.bna.com/fmB.