US Forced Back to Negotiating Table on EU Privacy Shield
Last fall, the European Court of Justice invalidated the US-EU Safe Harbor program for transfering data between the US and EU nations. The decision was driven in large by the revelations over NSA surveillance. US authorities disputed this finding and former acting Commerce Secretary Cameron Kerry released a study demonstrating the privacy protections were “essentially equivalent” on both sides of the Atlantic.
In March, an agreement was reached on a new U.S.- E.U. Privacy Shield which would move beyond the Safe Harbor with pledges of more robust enforcement by U.S. authorities; greater transparency obligations on U.S. companies; allowing redress for EU citizens and providing for an annual review mechanism.
In April, however, the organization of EU national data protection regulators (Article 29 Working Party) issued an opinion on the EU-U.S. Privacy Shield finding that
[n]otwithstanding the improvements offered by the Privacy Shield, the WP29 considers that some key data protection principles as outlined in European law are not reflected in the draft adequacy decision and the annexes, or have been inadequately substituted by alternative notions.
In May, the European Data Protection Supervisor Giovanni Buttare released a draft Opinion finding that while
[t]he draft Privacy Shield may be a step in the right direction but as currently formulated it does not adequately include, in our view, all appropriate safeguards to protect the EU rights of the individual to privacy and data protection also with regard to judicial redress. Significant improvements are needed should the European Commission wish to adopt an adequacy decision. In particular, the EU should get additional reassurances in terms of necessity and proportionality, instead of legitimizing routine access to transferred data by U.S. authorities on the basis of criteria having a legal basis in the recipient country, but not as such in the EU, as affirmed by the Treaties, EU rulings and constitutional traditions common to the Member States.
The same week, the European Parliament adopted a non-binding resolution calling for the EC to “continue the dialogue with the U.S. administration in order to negotiate further improvements to the Privacy Shield arrangement in the light of its current deficiencies.”
The “deficiencies” about which the Members of the European Parliament (MEPs) voiced concerns include:
- the lack of restriction on access to European citizens’ personal data by U.S. intelligence agencies and the possibility of their collecting bulk data;
- the proposed U.S. Ombudsman, created to review the complaints of European citizens, which the resolution called neither“sufficiently independent” nor “vested with adequate powers to effectively exercise and enforce its duty”; and
- the complexity of the redress mechanism, which the resolution requested the EC and U.S. make more “user-friendly and effective.”
These moves puts a lot of pressure on negotiators who have stated a goal to implement the Privacy Shield by the end of June.
In addition, one fall back for companies was to instead rely on standard contractual clauses that adopt EU data standards, but the Irish Office of Data Protection has asked the European Court of Justice to determine the legal status of data transfers under Standard Contractual Clauses.