The EU-US Privacy Shield is barely two years old, and already at risk of being invalidated. Early last week – ahead of the adequacy review by the EU Commission scheduled to take place in October – the European Parliament adopted a resolution determining that Privacy Shield does not provide the required ‘essentially equivalent’ data protection for EU citizens, and calling for the suspension of the data transfer mechanism unless the United States can make subtsantial changes to its privacy laws and framework by September 1, 2018.
The successor to the Safe Harbor mechanism (invalidated by the infamous Schrems decision), Privacy Shield was officially adopted in July 2016 and is now relied upon by many US tech companies (including such giants as Amazon, Facebook , Google and Twitter) to authorize transfers of personal data from the EU to the US. However, EU lawmakers have increasingly expressed unhappiness at the data transfer mechanism because, in their view, US authorities have not taken mandated and appropriate steps to enact certain reforms to US laws that would ensure an adequate level of protection by EU standards. Breaches such as the Facebook / Cambridge Analytica have also underscored the very different approaches to data privacy protection and enforcement that the US and EU take. Though the European Commission has rieiterated its intent to work with the US to maintain Privacy Shield, the EU Parliament’s resolution literally puts forth a long list of grievances regarding US Pivacy Shield framework in general, and underscores the vast differences between the EU and the US when it comes to proctecting individuals’ privacy rights.
Reiterating those grievances, the chair of the European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE Committee), summarized the core issues: “[t]his resolution makes clear that the Privacy Shield in its current form does not provide the adequate level of protection required by EU data protection law and the EU Charter. Progress has been made to improve on the Safe Harbor agreement but this is insufficient to ensure the legal certainty required for the transfer of personal data …. In the wake of data breaches like the Facebook and Cambridge Analytica scandal, it is more important than ever to protect our fundamental right to data protection and to ensure consumer trust. The law is clear and, as set out in the GDPR, if the agreement is not adequate, and if the US authorities fail to comply with its terms, then it must be suspended until they do.”
Among the many concerns listed in the resolution, the US’ failure to permanently appoint an ombudsperson, who is intended to arbitrate any data-related complaints from EU citizens against US companies, continues to demonstrate a lack of commitment to privacy protection. This ties into the concern that Privacy Shield certification is not properly monitored by the FTC, which is charged with its enforcement. Likewise, Section 702 of the Foreign Intelligence Surveillance Act (FISA), which was recently extended, does not contain the safeguards warranted by the EU. In fact, Parliament notes that it “regrets that the US did not seize the opportunity of the recent reauthorisation of FISA Section 702 to include the safeguards provided in PPD 28” — referring to an Obama-era Presidential Policy Directive that backed extending privacy protections to non-US nationals. In other words, the EU would like to see these informal safeguards materialize into law, rather than remain policies – or promises – subject to presidential administrations with radically different views.
Parliament also expresses concerns re an executive order (Enhancing Public Safety) signed by Donald Trump in January 2017, which strips non-U.S. citizens of certain privacy protections, noting “the intention of the US executive to reverse the data protection guarantees previously granted to EU citizens and to override the commitments made towards the EU during the Obama Presidency.” And finally, the recent adoption of the Clarifying Lawful Overseas Use of Data Act (the Cloud Act), which expands the abilities of American and foreign law enforcement to target and access people’s data across international borders without certain safeguards, “highlights that [it] could have serious implications for the EU as it is far-reaching and creates a potential conflict with the EU data protection laws.”
The Privacy Shield’s second annual review by the EU Commission is due to take place in October, and despite pressure from Parliament, only the Commission can suspend Privacy Shield. However, if Privacy Shield were to be deemed inadequate based on one or several of the concerns listed above, the many companies that have relied upon Privacy Shield certification would have to implement alternative legal arrangements to authorize data transfers from the EU to the US. Stay tuned.