Written by Justin Hemmings
On June 12, 2018, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) passed a resolution calling on the European Commission to suspend the EU-U.S. Privacy Shield unless the U.S. fully complies with the framework’s requirements by September 1, 2018. With a vote of 29 votes in favor, 25 opposed, and 3 abstentions the LIBE passed the draft resolution calling on the European Commission to
(1) ensure that the Privacy Shield fully complies with the GDPR and the EU charter so as to not create loopholes or competitive advantage for US companies; and
(2) restart discussion on the Privacy Shield and create an action plan to address the deficiencies identified by the European Commission’s and the Article 29 Working Party’s (WP29) 2017 annual joint review reports.
In an accompanying press statement, Members of the Parliament stated that the Privacy Should “should be suspended unless the US complies with it by 1 September 2018,” and that “the deal should remain suspended until the US authorities comply with its terms in full.”
The Resolution points to a number of alleged deficiencies in the Privacy Shield framework as support for its claim that the framework warrants suspension. The text cites WP29’s statement that it would seek a referral of the Privacy Shield Adequacy decision to the Court of Justice of the European Union (CJEU) if outstanding issues were not resolved by May 25, 2018; an action for annulment by La Quadrature du Net; and the referral of the Schrems II case to the CJEU regarding the availability of effective remedies for EU citizens under US law for data protection violations as warranting additional scrutiny of the framework. While not directly tying the Resolution to these separate challenges of EU-U.S. data sharing, the text appears to include them as supplementary evidence of a need for the Commission to take a more aggressive stance in the upcoming second annual Privacy Shield joint review.
The Resolution does point to three general categories of concerns and deficiencies that it believes must be addressed before September 1 if the Privacy Shield framework is to remain in effect: institutional and nomination issues; commercial issues; and law enforcement and national security issues. Summaries of these three categories are provided below.
Institutional / Nomination Issues
The Resolution raises concerns that three key oversight entities–the Privacy and Civil Liberties Oversight Board (PCLOB), Federal Trade Commission (FTC), and Privacy Shield Ombudsperson–have not been adequately supported. The Resolution calls on the U.S. Senate to ratify the nomination of Adam Klein as chair of the PCLOB without delay so that the Board can release its report on surveillance under Executive Order 12333. Similarly, the Resolution criticizes the lack of a permanent Ombudsperson and the three vacant seats of the FTC as undermining faith in the authority and effectiveness of these two key oversight bodies. (As a factual note, the Resolution was issued on June 12, but the FTC has had the full complement of five Commissioners since May 2). The Resolution reasons that without strong and well-defined oversight, the Privacy Shield’s self-certification mechanism leads to enforcement gaps that must be addressed in order to adequately protect EU data subjects’ rights.
The Resolution also raises concerns regarding false Privacy Shield self-certification claims and potential automated decision making and profiling by U.S. companies. The Resolution calls for U.S. oversight authorities to investigate public disclosures and reporting of alleged unauthorized data processing without delay, and to remove self-certified companies from the Privacy Shield list where they are found to be out of compliance with the framework. While it notes that the 2017 joint reviews did not indicate that any data transferred under the Privacy Shield framework was subject to automated decision making, the Resolution does allege a lack of guarantees in the Privacy Shield framework against such processing and calls for further assurances from the U.S. in this area.
National Security Issues
Finally, the Resolution raises concerns about the reauthorization of FISA Section 702 surveillance, the recent passage of the Cloud Act, and the availability of individual judicial redress mechanisms for EU data subjects. Pointing to the increase in the number of Section 702 orders, the Resolution calls for further evidence that surveillance conducted under these orders does not engage in bulk data collection. Similarly, the Resolution raises concerns that the Cloud Act enables U.S. and foreign law enforcement authorities to bypass the existing privacy and conflict of law safeguards of the Mutual Legal Assistance Treaty system. Finally, the Resolution raises the issue of standing doctrine in U.S. jurisprudence, and renews concerns that Section 702 and the Privacy Shield do not adequately provide effective judicial redress rights for EU data subjects when their data is collected or processed for law enforcement or national security purposes.
The full European Parliament is expected to vote on the Resolution in July. The second annual review of the EU-U.S. Privacy Shield will take place later this fall. The full text of the LIBE resolution is available here.