Last week has seen two important developments in relation to the EU-U.S. Privacy Shield (“Privacy Shield”) for transfers of personal information from Europe to the United States.
A draft adequacy decision and related documentation for the Privacy Shield were released by the EU Commission on February 29, 2016, and are now being reviewed by the relevant EU bodies. Following an opinion by the consortium of data protection authorities (“DPAs”), the Article 29 Working Party (“WP29”), which called for substantial amendments to the Privacy Shield, the EU Parliament and the European Data Protection Supervisor (“EDPS”) have now provided their own recommendations.
Both the EU Parliament and the EDPS call upon the EU Commission to fully implement the recommendations of WP29 and negotiate further improvements to the Privacy Shield with the U.S. administration. Whereas the Privacy Shield is regarded as “a step in the right direction” and an effort for “increased transparency”, both institutions have outlined certain limitations. These include:
- Necessity and proportionality of data transfers: The EU Parliament considers that, under Annex VI, bulk collection of personal data and communications of non-US individuals is still permitted in certain circumstances. According to the EDPS, the draft text contains substantial flaws as regards data transferred for commercial purposes, especially concerning the protection of such data while in transit. Both institutions recommend that the Privacy Shield specify more clearly the circumstances under which U.S. authorities may access data for reasons of national security, law enforcement or the public interest. Under the Commission’s proposed texts, the Privacy Shield would legitimize routine access by U.S. authorities to EU personal data pursuant to U.S. laws that do not apply in the EU.
- Judicial redress for EU citizens: Both institutions acknowledge that, as compared to the Safe Harbor, the Privacy Shield strengthens mechanisms for ensuring compliance review and judicial redress. However, they call for a simplification of oversight mechanisms. The EDPS considers that, although the current draft of the Privacy Shield allows EU individuals to bring cases before U.S. courts, it does not provide for effective means of redress given the complexity of proposed mechanisms. Possible alternatives include that individuals (i) are assisted by EU DPAs during U.S. proceedings or (ii) are able to bring claims for damages against U.S. Privacy Shield participants before a competent EU national court. In general, the EU Parliament recommends procedures which are “user-friendly and effective”.
- Government surveillance: Whereas both institutions welcome the appointment of an Ombudsperson in the U.S. Department of State, they also highlight that current version of the Privacy Shield does not provide for sufficient independence of the Ombudsman vis-à-vis the U.S. administration. One solution, according to the EDPS, is that the Ombudsman report directly to the U.S. Congress.
- Enforcement of Privacy Shield: Another criticism is that the enforcement role of U.S. authorities is not clearly delineated. The EU Parliament calls on the Commission to seek clarification on the legal status of the “written assurances” provided by the U.S; the EDPS recommends that U.S. authorities monitor compliance with the Privacy Shield through onsite inspections of organizations that self-certify under the Privacy Shield.
- GDPR: The EU Parliament and the EDPS call for an alignment between the Privacy Shield and the principles of the EU data protection framework. In particular, they invite the EU Commission to take into consideration the recently-approved General Data Protection Regulation (“GDPR”). The EDPS notes the absence of generally-applicable U.S. federal-level legislation that establishes data protection standards which are “essentially equivalent” to those applicable under EU law, and that all third countries recognized by the EU Commission as offering adequate protection have such laws in place.
Although the Commission may take them into account, the recommendations made by the EDPS and the Parliament are not binding in the present context. The Commission is expected to finalize a draft adequacy decision on Privacy Shield in the coming weeks.
The EU Parliament Resolution is available at: http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+MOTION+P8-RC-2016-0623+0+DOC+XML+V0//EN.
The EDPS Opinion is available at: https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2016/16-05-30_Privacy_Shield_EN.pdf