On the heels of the Committee on Civil Liberties, Justice and Home Affairs’ (LIBE) recent resolution, the full European Parliament on July 5 adopted a resolution calling for the suspension of the EU-U.S. Privacy Shield agreement if the U.S. fails to comply in full by September 1, 2018. With a vote of 303 in favor and 223 opposed with 29 abstentions, the Parliament passed the resolution and stated concerns about the enforcement of the Privacy Shield framework and about U.S. surveillance and privacy law generally. Regarding the resolution, LIBE Chair and rapporteur Claude Moraes said “[t]his resolution makes clear that the Privacy Shield in its current form does not provide the adequate level of protection required by EU data protection law and the EU charter.”
The resolution adopts and expands on the critiques of the LIBE’s earlier version passed on June 12. The resolution includes criticism of the U.S. approach for commercial privacy, as well as for national security and other government privacy practices.
Criticism of U.S. Privacy Laws
The resolution critiques several aspects of U.S. privacy law that Parliament contends vary from the GDPR’s requirements. Paragraph 15 of the resolution states that the Parliament “[w]elcomes and supports calls for the US legislator to move towards an omnibus privacy and data protection act.” Paragraphs 16 criticizes the Privacy Shield for not adequately matching the GDPR’s requirements for automated processing/profiling and consent mechanisms. It calls on the Commission to order a study of automated decision-making vis-à-vis data transfers under the Privacy shield, and to “provide for specific rules concerning automated decision-making to provide sufficient safeguards” if warranted. Paragraph 18 criticizes the Privacy Shield for “not follow[ing] the EU model of consent-based processing,” and urges the U.S. Department of Commerce and the European Data Protection Authorities to “provide more precise guidance as regards essential principles of the Privacy Shield such as the Choice Principle, the Notice Principle, onward transfers, the controller-processor relationship and access, which are much more aligned with the rights of the data subject under” the GDPR.
The resolution also criticizes a number of U.S. privacy laws, including aspects that are outside the control of a company that certifies to the Privacy Shield. As with the LIBE’s previous version, the resolution attacks the recently passed Cloud Act, which Paragraph 27 claims “could have serious implications for the EU as it is far-reaching and creates a potential conflict with the EU data protection laws.” Paragraph 28 argues that “a more balanced solution would have been to strengthen the existing international system of Mutual Legal Assistance Treaties … with a view to encouraging international and judicial cooperation.”
Paragraph 19 raises concerns about Congress’s rejection of the now-voided FCC Broadband Privacy Rule (S.J. Res. 34, 115th Cong. (2017)). The resolution characterizes the retraction of the rule, which had not yet entered into force, as “eliminat[ing] broadband privacy rules that would have required Internet Service Providers to get consumers’ explicit consent before selling or sharing web browsing data and other private information with advertisers and other companies.” The resolution “considers that this is yet another threat to privacy safeguards in the United States.”
Additionally, paragraph 26 criticizes Executive Order 13768’s removal of the U.S. Privacy Act protections for non-US citizens. The resolution acknowledges the European Commission’s position that the Privacy Shield’s adequacy assessment did not rely on the Privacy Act, and that therefore changes to the Privacy Act do not affect the Privacy Shield framework. Nonetheless, paragraph 26 claims this change “indicate[s] the intention of the US executive to reverse the data protection guarantees previously granted to EU citizens and to override the commitments made towards the EU during the Obama Presidency.” The resolution does not cite any support for this claim, nor does it refer to the protections for EU citizens provided under the Privacy Act due to the EU/U.S. Umbrella Agreement.
Criticism of U.S. National Security Practices
The resolution echoes previous criticisms of U.S. national security practices, focusing on practices authorized under FISA Section 702 and Executive Order 12333. Paragraph 22 “calls for evidence and legally binding commitments ensuring that data collection under FISA Section 702 is not indiscriminate and access is not conducted on a generalised basis (bulk collection).” To address these concerns, Paragraph 22 calls for “an updated report from the [Privacy and Civil Liberties Oversight Board] on the definition of ‘targets’, on the ‘tasking of selectors’ and on the concrete process of applying the selectors in the contest of the UPSTREAM programme to clarify and assess whether bulk access to personal data occurs in that context.” The resolution further critiques the recent reauthorization of Section 702 for excluding EU individuals from its added protections, and for included “merely procedural” amendments that “do not address the most problematic issues.”
Paragraph 24 of the resolution criticizes Executive Order 12333 as “allow[ing] the NSA to share vast amounts of private data gathered without warrants, court orders or congressional authorisation with 16 other agencies” and lacking “any judicial review of surveillance activities.” Paragraph 25 criticizes the U.S. standing doctrine for creating obstacles for “non-US citizens to bring legal actions before US courts” challenging national security practices under the authorization of Section 702 and Executive Order 12333.
For more information on U.S. surveillance and privacy law and relevant EU law, see Alston & Bird Senior Counsel Peter Swire’s testimony to the Irish High Court in Schrems II, available here. The second annual review of the EU-U.S. Privacy Shield is scheduled to take place this fall. The full text of the Parliament’s resolution is available here.