The saga continues on the quest to improve the EU-U.S. Privacy Shield Agreement (“Privacy Shield”), the framework that, if enacted, would permit transatlantic data flows from the EU to the U.S. Yesterday, the European Parliament approved a resolution asking the European Commission (the “Commission”) to (1) clarify the legal status of “written assurances” provided by the U.S., (2) implement the Article 29 Working Party (the “Working Party”) recommendations, and (3) revisit negotiations with the U.S. to improve Privacy Shield deficiencies.
In late February, the Commission issued a draft adequacy decision that formed the basis of Privacy Shield. The decision was criticized in an opinion by the Working Party, a group comprised of representative data protection authorities from each EU member country and the European Data Protection Supervisor. Yesterday’s European Parliament resolution calls for full implementation of the Working Party opinion recommendations and highlights several deficiencies of the draft decision, including the following:
- Bulk collection remains an issue: Under Presidential Policy Directive 28, bulk collection is still permitted and does not meet necessity and proportionality requirements of the Charter of Fundamental Rights of the European Union.
- Ombudsperson lacks independence and power: The Ombudsperson role envisioned in the Privacy Shield lacks sufficient independence and does not have adequate powers to exercise and enforce its duty.
- Legal uncertainty where rules are not clear and uniform. Legal certainty is essential for business development and growth. Without it, companies face legal uncertainty and serious impacts to operations, consumer trust, and the ability to conduct transatlantic business.
This Parliament resolution is another setback that will likely impact the timing and substance of the final adequacy decision. What’s more, the Article 31 Committee, a body comprised of Member State representatives, has yet to provide its opinion on Privacy Shield. Put simply, the Commission is facing an uphill battle with Privacy Shield. It is unclear whether and to what extent these recommendations will be implemented and that does not bode well for companies hoping to certify under Privacy Shield. In the meantime, alternative transfer mechanisms, such as model contracts, remain the best option for companies to comply with EU data protection laws.