7th April 2017
In a wide-ranging speech during her recent visit to Washington DC, Věra Jourová, Commissioner for Justice, Consumers and Gender Equality, confirmed that the first annual joint review of the EU-US Privacy Shield will take place in September.
The Privacy Shield framework was created to protect the rights of those EU citizens whose personal data is transferred to the US after the Court of Justice of the European Union (CJEU) held that the previous framework, ‘Safe Harbor’, was invalid. Nearly 2,000 US companies have so far signed up to the Privacy Shield, which is a self-certification mechanism.
The framework agreement was criticised even before its launch in July 2016 (see our earlier briefing Putting the EU-US Privacy Shield into motion – what next?) and the concerns and challenges have been mounting ever since.
Privacy advocacy groups in Ireland and France are seeking to have the Privacy Shield annulled in two separate actions before the CJEU. They are challenging the European Commission’s ‘finding of adequacy’ that US organisations signing up to the Privacy Shield provide an equivalent level of protection for EU personal data transferred to the US (see our earlier briefing Newsflash: EU-US Privacy Shield challenged before the European court).
Concerns over the future of the Privacy Shield intensified recently after President Trump signed an executive order potentially affecting the privacy protections of non-US citizens or permanent residents. While the US sought to play down the concerns, the Article 29 Working Party (comprising the European Data Protection Supervisor, the European Commission and a representative of each Member State’s data protection authority) decided to write directly to the US authorities for clarification.
On 23 March 2017, the European Parliament’s Committee on Civil Liberties, Justice, and Home Affairs narrowly approved a resolution labelling the Privacy Shield as inadequate, stressing that key deficiencies remain to be urgently resolved (see the press release here). On 6 April 2017, MEPs adopted the non-legislative resolution, calling on the Commission to “conduct a proper assessment and ensure that the EU-US “Privacy Shield” for data transferred for commercial purposes provides enough personal data protection for EU citizens to comply with the EU Charter of Fundamental Rights and new EU data protection rules” – which includes the new EU General Data Protection Regulation (GDPR) coming into force in May 2018.
The European Parliament press release on the vote sets out the issues that MEPs are particularly concerned about. They include: recent revelations about surveillance activities conducted by a US electronic communications service provider at the request of government agencies; new rules allowing the National Security Agency to share with 16 other agencies vast amounts of private data, gathered without warrant, court orders or congressional authorisation; vacancies at the Federal Trade Commission which enforces the Privacy Shield; and insufficient independence of the Ombudsperson mechanism (added to the fact that a new Ombudsperson has not yet been appointed by the Trump administration).
In a joint letter, Human Rights Watch and the American Civil Liberties Union urged the Commissioner to re-examine whether the Privacy Shield and EU-US Umbrella Agreement (on the protection of personal data exchanged for law enforcement purposes) sufficiently protect the fundamental rights of people in the EU. A further letter from a coalition of 17 civil liberties organisations urged the Commissioner to ensure that the US substantively reforms its surveillance laws this year to protect the rights of non-US persons including Europeans, and called on her to suspend the Privacy Shield if there are no meaningful reforms. The focus of the letter was the review in the US later this year of section 702 of the US Foreign Intelligence Surveillance Act 1978 (FISA) – the legal justification for surveillance programmes targeting non-US citizens.
In her speech, the Commissioner said that the Privacy Shield framework has enormous potential to strengthen the transatlantic economy and reaffirm the shared values of the EU and US, but that “we now have to ensure that it keeps working as it should”. This involves ensuring that the key foundations of the Privacy Shield remain in place, and ensuring proper day-to-day implementation and robust follow-up. The Commissioner mentioned that maintaining the limitations and safeguards in the area of government access for national security reasons is crucial.
The Commission acknowledged in its adequacy decision back in July 2016 that the Privacy Shield would need to be reviewed both when section 702 of FISA is reviewed and when the GDPR comes into force (see Our series of guides to the EU General Data Protection Regulation: the latest guidance on GDPR for the latest on the incoming legislation for which all businesses need to be prepared).
There is no immediate impact on data transfers to the US and the Privacy Shield remains a valid transfer mechanism. However, the joint review may result in either the Privacy Shield being suspended or amended and organisations need to be prepared to make changes to their policies and procedures accordingly.
Walker Morris will continue to monitor and report on developments in this fast-moving area. In the meantime, if you have any queries arising from this briefing, please do not hesitate to contact Jeanette Burgess or Andrew Northage, who will be very happy to help.