We have previously written about the ongoing debate regarding the proposed EU-U.S. Privacy Shield. The European Parliament has now added its voice to those who say that the current proposal is inadequate.
As a reminder, the proposed Privacy Shield is intended to replace the previous EU-U.S. Safe Harbor framework, which the Court of Justice of the European Union invalidated last October on the grounds that the Safe Harbor failed to adequately protect European citizens’ privacy rights from U.S. intelligence authorities. After that, U.S. and European Commission (the “EC”) officials spent months negotiating the new Privacy Shield agreement.
The Privacy Shield proposal provides a regime whereby U.S. companies can certify to the Department of Commerce that they agree to abide by certain requirements, including compliance with EU data security procedures. It also provides for monitoring and enforcement by the EC and U.S. authorities, as well as avenues for EU citizens to seek redress for violations. Our full explanation of the Privacy Shield proposal can be found here.
In April, the Article 29 Working Party on Data Protection—an advisory body composed of representatives from EU data protection authorities, the European Data Protection Supervisor (“EDPS”), and the EC—issued an opinion criticizing the Privacy Shield proposal. As we explained, Article 29 acknowledged that the proposal constituted a major step forward from the previous Safe Harbor. But the group expressed concern about the continued prospect of indiscriminate data collection by U.S. authorities, and questioned whether the ombudsperson responsible for remedying violations would have sufficient power and independence to carry out that responsibility.
Now the European Parliament has entered the fray, and in a 501–119 vote is urging the EC to reopen negotiations with U.S. authorities to fix the Privacy Shield’s “current deficiencies.” The areas of concern largely echo those raised by Article 29, including U.S. authorities’ access to—and potential bulk collection of— EU citizens’ data, as well as skepticism about the redress mechanism and the proposed ombudsperson. The resolution also calls on the EC to conduct “periodic robust reviews” of its finding that the Privacy Shield affords EU citizens adequate protections.
Like the Article 29 opinion, the European Parliament resolution is not binding on the EC. However, the resolution casts more doubt on the Privacy Shield’s prospects of being adopted in its current state. We will continue to monitor and report on these developments in the weeks to come.