Just in the last week, both the European Parliament and the European Data Protection Supervisor (“EDPS”) published findings holding the currently proposed EU-US Privacy Shield to be seriously deficient, and calling for further negotiations to deal with those “holes”.
On May 26, 2016, the European Parliament passed a resolution, see EU Parliament Resolution, basically saying nice try, no cigar! While acknowledging that great strides were made, the Parliament felt that too many gaps remained. Not surprising were the on-going concerns about the broad gathering of private data (i.e., bulk collection) by the U.S. government and what is viewed as the less than clearly defined circumstances in which that data may be used for recognized national security and law enforcement reasons, and what else?
Reiterating that “personal data, respect for private life and communications, the right to security, and to receive and impart information and the freedom to conduct business” are all fundamental rights, the Parliament also called into question how those rights would be protected for small and medium sized businesses; questioned whether the Privacy Shield was actually in compliance with EU law; expressed its continuing unease with the apparent lack of independence for the ombudsperson (intended to assist claimants); expressed an obvious distaste for the on-going bulk collection of data by the U.S. government; sought clarification about the legal status of the written assurances by various government entities which supported the commitments the U.S. made, and finally concluded, there is a serious lack of legal certainty surrounding the transfer of personal data between the EU and US, despite the advances made. The Parliament concluded by calling on the European Commission to continue its negotiations with the U.S. seeking further improvements.
The EDPS opinion was issued on May 30, 2016. See EDPS Opinion 4/2016. After acknowledging the importance and value transatlantic data transfers play in modern life, this EU independent institution went on to call the Privacy Shield a “step in the right direction” and urged ”robust improvements”. Then, like the EU Parliament, it called for additional reassurances and clarifications, i.e., further negotiations, between the two sides. This report particularly focused on the bulk collection issue and framed the point as such action should only take place in “exceptional circumstances and when indispensable for specified public interest purposes.” The EDPS also underscored the need for a “comprehensive and solid” solution.
One point the EPDS report added is the expression of doubt about compliance and enforcement in the U.S. absent U.S. government monitoring of compliance by self-certifying companies! It also called into question whether EU citizens really understood the nature of the data being transferred, how it was being automatically processed or the full extent of how long the data was being retained, all relevant factors under EU law. Finding written assurances and Presidential orders insufficient, the EDPS goes so far as to recommend that key provisions be enacted into federal law in the U.S.
Both organizations also called into question the value of the Privacy Shield effective in May 2017, when its contents fails to incorporate the provisions in the General Data Protection Regulation taking effect in May 2018.
Despite being called into question by various EU Member State Data Protection Authorities, American companies seeking ways to avoid running afoul of the EU data privacy laws are left to continue their reliance on model contracts and corporate resolutions, at least for now. Stay tuned, as this issue is obviously far from settled!