EU Parliament questions US compliance with data privacy shield, calls for suspension
ICTSD | 12 July 2018
EU Parliament questions US compliance with data privacy shield, calls for suspension
The European Parliament adopted a resolution last week to suspend the EU-US Privacy Shield agreement, saying the US’ compliance efforts to date “fail to provide enough data protection for EU citizens.” The non-binding document calls for putting the deal on ice unless the US shows that it has upheld the deal’s terms by 1 September 2018.
The motion was put forward by the EU Parliament’s Civil Liberties, Justice, and Home Affairs Committee in June, and passed with 303 to 223 votes with 29 abstentions at a plenary session last week.
“This resolution makes clear that the Privacy Shield in its current form does not provide the adequate level of protection required by EU data protection law and the EU Charter,” said Committee Chair and rapporteur Claude Moraes. Moraes is an EU parliamentarian from the UK, and serves as part of the Group of the Progressive Alliance of Socialists and Democrats in that chamber.
In a debate that took place the day before the vote, Věra Jourová, the European Commissioner for Justice, Consumers, and Gender Equality, said that the EU’s executive branch “will not hesitate to act upon its obligations and to make use of its power to suspend the Privacy Shield.” A suspension, however, “is not warranted,” she added.
“I would like to recall that the Privacy Shield was set up to offer a high level of protection for personal data. It provides the adequate level of protection required by EU data protection law and the EU Charter,” said Jourová.
In its first report on the functioning of the trans-Atlantic legislation in October last year, the Commission said the data exchange under the Privacy Shield was meeting European data protection standards, while also providing a set of recommendations to improve its functioning in the future.
The Privacy Shield acts as a mechanism for US-EU exchange of personal data for commercial purposes, aimed at safeguarding “fundamental” privacy rights of European citizens. First adopted in July 2016, it replaced the Safe Harbour arrangement, which the European Court of Justice ruled to be invalid in October 2015. (See Bridges Weekly, 8 October 2015)
To join the Privacy Shield framework, a US-based organisation has to undergo a series of steps. This includes making a public pledge to fulfil the framework’s requirements, along with “self-certifying” that it is doing so, according to a description on the relevant US government website for the shield. A similar arrangement is in place between the US and Switzerland.
“While joining the Privacy Shield is voluntary, once an eligible organisation makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under US law,” the site notes.
Specific concerns
The parliamentary resolution comes largely as a response to the Facebook-Cambridge Analytica data breach, lawmakers noted, which involved the unauthorised collection of personally identifiable information of 87 million Facebook users, and affected 2.7 million European citizens. Facebook is certified under the Privacy Shield, while Cambridge Analytica was disbanded after the scandal.
Given this context, several European Parliament members say that they fear that certain companies may use the data they collect to influence electoral processes, such as by trying to shape public views on political subjects or candidates. Such influence efforts have already been documented and prosecuted in the UK.
In the debate, Jourová said that the Cambridge Analytica data breach took place before the Shield was in place, even though the breach was discovered after the Shield took effect in 2016. She also argued that the new shield puts rules and systems in place that could prevent future breaches from occurring.
“Thanks to stricter conditions for the sharing of personal data with third parties, and more stringent rules on data retention, the data of our citizens is now better protected when it is transferred to the United States,” she added. She welcomed the US Federal Trade Commission opening an investigation on the case.
Several EU parliamentarians explained that they supported a suspension given their fears that actions to address data misuses by US companies is slow, and that there still is no permanent ombudsperson in place under the new US administration to oversee the Privacy Shield’s implementation.
EU authorities should thus investigate cases of data misuses and if appropriate, take action to suspend or ban data transfers under the Privacy Shield, the resolution says.
The recent adoption of the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), a piece of US legislation that was signed into law this year, also came under review during the EU lawmakers’ meeting. The CLOUD Act expands the potential reach of law enforcement when it comes to accessing data located abroad, with some limitations.
“The CLOUD Act could have serious implications for the EU as it is far-reaching and creates a potential conflict with the EU data protection laws,” states the resolution.
European Commission officials, while acknowledging these concerns, have suggested that a suspension may be premature, along with causing other hurdles for EU businesses. Jourová warned that suspending the regulation would increase costs for smaller companies.
“As many of the speakers mentioned, there are also concerns regarding small and medium-sized European enterprises. I remember the time after 6 October 2016 when Safe Harbour was annulled by the European Court of Justice. What do you think of the big American companies? What are they doing?... [There was] panic and a big problem of sudden legal uncertainty. That’s why we worked so hard on creating the new system, fully tailored to the requirements of the European Court of Justice,” she said.
In a public letter to the European Parliament, the American business association AmCham echoed these concerns. “If the Privacy Shield is suspended, opportunities for businesses with operations in both the EU and the US and in particular small and medium-sized enterprises will be highly limited,” the letter says.
In addition, Jourová warned that suspending the deal with such little notice would affect individuals in the EU, given that their personal data would no longer benefit from the Privacy Shield’s additional protections.
European data protection regulations
The discussions on the Privacy Shield come less than two months after the EU’s General Data Protection Regulation (GDPR) took effect. The GDPR is designed to help govern the use of personal information, giving EU-based individuals a greater say how their data is treated, along with aligning European countries’ approach on data privacy, among other objectives. (See Bridges Weekly, 31 May 2018)
The Privacy Shield is focused specifically on regulating cross-border data exchanges between the EU and the US, with nearly 4000 companies from both sides signed up to the new framework. The GDPR and Privacy Shield are meant to be complementary tools.
“Even though the Privacy Shield predates the entry into application of the EU’s new rules, the General Data Protection Regulation, we negotiated the Shield with the new standards in mind,” said Jourová.
The Privacy Shield also envisions an annual review process, in line with the GDPR’s requirement for having a periodic review mechanism in place, with set timeframes.
Various EU lawmakers, however, noted that their concerns still stand, given current events. “In the wake of data breaches like the Facebook and Cambridge Analytica scandal, it is more important than ever to protect our fundamental right to data protection and to ensure consumer trust. The law is clear and, as set out in the GDPR, if the agreement is not adequate, and if the US authorities fail to comply with its terms, then it must be suspended until they do,” Moraes said regarding the parliamentary resolution.
The second annual review of the Privacy Shield, led by US Commerce Secretary Wilbur Ross and Commissioner Jourová, will be held in Brussels in October.
ICTSD reporting; “Facebook hit with first fine over Cambridge Analytica data scandal,” FINANCIAL TIMES, 11 July 2018.