On July 5, 2018, a 303-223 majority of the Members of the European Parliament, (with 29 abstentions), voted, in a non-binding vote, to suspend the EU-US Privacy Shield (Privacy Shield) if the United States does not meet specific requirements by Sept. 1, 2018. The vote approved a Motion for a Resolution that was presented by the LIBE Committee, the Committee of Civil Liberties, Justice and Home Affairs, which deals with the protection of personal data, among other things.
In recent months, the tension between the United States and the EU has increased due to several issues associated with trade in general, with the protection of personal information at the forefront. EU members have persistently alleged that personal information of EU residents transferred to the United States does not receive an adequate level of protection, especially from U.S. businesses and national security agencies.
The 11-page Motion for a Resolution prepared by the LIBE and on which the vote was based, lists a number of concerns on the effectiveness of the Privacy Shield, and points to recent events and “important unresolved issues of significant concern.” Among other things, it expresses concern with the delay in appointing all members of the PCLOB, the Privacy and Civil Liberties Oversight Board, including its chairman, and regrets that the PCLOB did not issue a report on Section 702 the Foreign Intelligence Surveillance Act (FISA) before it was re-authorized in January 2018.
The Motion for a Resolution also criticizes the U.S. Department of Commerce (DoC) in its review of Privacy Shield certification applications, stating that it is “concerned that the DoC has not made use of the possibility provided by the Privacy Shield to request copies of the contractual terms used by certified companies in their contracts with companies to ensure compliance” and “considers therefore that there is no effective control over whether certified companies actually comply with the Privacy Shield provisions.”
However, according to press reports, it appears that the position of the EU Parliament as expressed by this vote, may not be supported by other parts of the EU administration, and it might be premature to conclude that the Privacy Shield is significantly threatened.
Others in the EU administration have voiced different opinions. For example, according to reports of interviews conducted by BNA Bloomberg, the EU Commission believes that at this stage, suspension is not warranted (interview with C. Wigan, spokesperson of the EU Commission). Similarly, the European Data Protection Board (successor of the Article 29 Working Party), believes that the Privacy Shield has “improved and improves the exchange of the data between the US and the EU” (interview with Andrea Jelinek, chair of the EU Data Protection Board).
When the EU-US Privacy Shield Framework was finalized in July 2016, the document provided that compliance with the agreement would be audited each year to ensure that the United States was complying with its commitment. A first review in September 2017 gave the United States a passing grade, but suggested that improvements were needed. The next audit is to be conducted shortly.
This vote sets the stage for the upcoming annual review of how and whether the United States is implementing the Privacy Shield as promised. It also indicates that the EU Parliament intends to exert pressure. With such a clear outline of items of concern, it is likely that some of these issues will be raised during the upcoming audit of the United States’ compliance. It should also be expected that the audit report might incorporate at least some of the points identified in the Motion for a Resolution.
With more than 3,000 companies having self-certified their compliance with the Privacy Shield Principles and more joining every day as part of their compliance with the EU General Data Protection Regulation, the Privacy Shield is an important tool for numerous U.S. companies doing business with the European Economic Area. Its simplicity, efficiency, and transparency have made it a useful tool for numerous U.S. based companies to ensure and demonstrate that their practices meet the “adequacy level” required by Section 45 and 46 of the EU General Data Protection Regulation. It is also an important tool for entities established in the European Economic Area because it facilitates their exchange of data with their U.S. counterparts and reduces the amount of paperwork when transferring data to the United States. When a tool has value for both data exporters and data importers, more efforts may be needed to preserve it.