On May 26, 2016, the European Parliament passed a resolution (2016/2727 (RSP)) calling on the European Commission (EC) to reopen negotiations with the United States to improve perceived “deficiencies” in the EU-U.S. Privacy Shield, the successor trans-Atlantic data transfer arrangement drafted by the U.S. and the EU after the Court of Justice of the European Union (CJEU) invalidated the U.S.-EU Safe Harbor Framework last October.
Though the European Parliament commended several aspects of the Privacy Shield and the efforts of the U.S. and the EU to make “substantial improvements” over Safe Harbor, the resolution called on the EC to address several deficiencies in further negotiations with the U.S. In particular, the resolution expressed that:
- The Privacy Shield’s safeguards against possible bulk collection of data do not meet the EU’s criteria of “necessity” and “proportionality” as provided in the EU Charter on Fundamental Rights;
- The Privacy Shield’s current redress mechanism should be made more “user-friendly and effective” for EU citizens;
- The Commission should get clarification from the U.S. on the legal status of the “written assurances” that the U.S. included as part of the Privacy Shield; and
- The proposed U.S. Ombudsperson, which would be housed in the State Department, is not “sufficiently independent” or vested with “adequate powers” to fulfill its duty.
The European Parliament’s resolution comes a month after the EU’s Article 29 Working Party (WP29) – an advisory panel to the EC on data protection matters comprised of European data protection regulators – issued its own opinion on the Privacy Shield in early April. The WP29 expressed many of the same concerns about the Privacy Shield’s structure that the European Parliament highlighted, as well as several others not directly mentioned in the resolution. Yet the European Parliament’s resolution called for the EC to “implement fully” the WP29’s recommendations to improve the Privacy Shield before approving the new arrangement.
Neither the resolution nor the WP29’s opinion are binding on the European Commission’s ultimate decision of whether to approve the new data transfer framework in its current form, and the Article 31 Committee representing EU national governments has not yet stated its much-anticipated position on the Privacy Shield. Yet the misgivings expressed by the European Parliament and the WP29 may ultimately push the Commission and the United States back to the negotiating table to make additional changes to the Privacy Shield.