On May 25, 2016, the European Parliament (EP) passed a non-binding resolution calling for the European Commission (EC) to reopen negotiations with the United States in order to improve perceived “deficiencies” in the EU-U.S. Privacy Shield.

The resolution requested improvements beyond the agreement reached between U.S. and EU negotiators in February. On February 29, 2016, the EC published a draft decision that approved the Privacy Shield arrangement as adequate. The Privacy Shield is intended to replace the EU-U.S. Safe Harbor Framework, which the Court of Justice of the European Union invalidated in October 2015.

The resolution, which the EP adopted in a 501-119 vote with 31 abstentions, largely supports criticisms in the April 13, 2016 Opinion issued by the Article 29 Working Party. Although the resolution acknowledged that the Privacy Shield contains “substantial improvements” compared to the Safe Harbor arrangement, it also called on the EC to “continue the dialogue with the U.S. administration in order to negotiate further improvements to the Privacy Shield arrangement in the light of its current deficiencies.”

The “deficiencies” about which the Members of the European Parliament (MEPs) voiced concerns include:

  • the lack of restriction on access to European citizens’ personal data by U.S. intelligence agencies and the possibility of their collecting bulk data;
  • the proposed U.S. Ombudsman, created to review the complaints of European citizens, which the resolution called neither“sufficiently independent” nor “vested with adequate powers to effectively exercise and enforce its duty”; and
  • the complexity of the redress mechanism, which the resolution requested the EC and U.S. make more “user-friendly and effective.”

Further, the resolution called on the EC to:

  • fully implement the recommendations in the April 13, 2016 Opinion of the Article 29 Data Protection Working Party;
  • conduct robust periodic reviews of its decision that the protection provided by the Privacy Shield is adequate, particularly in the light of the new General Data Protection Regulation, which will go into effect in 2018; and
  • continue its dialogue with the U.S. to negotiate further improvements to the Privacy Shield.

The Article 31 Committee responsible for approving the Privacy Shield will take the EP’s resolution into consideration before voting on its adequacy. The Committee, which is composed of Member State representatives and chaired by the EC, is still deliberating regarding the Privacy Shield. The EC is expected to present to the Article 31 Committee a revised adequacy decision at the beginning of June. A vote is intended by the end of the month, and the EC aims to conclude approval of the Privacy Shield by mid-July.

Practical Implications

Invalidation of the EU-U.S. Safe Harbor Framework created considerable uncertainty for both businesses and consumers regarding transatlantic data transfer. Speaking after the European Parliament adopted its resolution, MEP Timothy Kirkhope, a member of the UK Conservative Party, stated:

“The Privacy Shield needs some clarifications as to how it will work in practice, which the Commission have said it is pursuing, but getting the Privacy Shield up and running swiftly is essential for businesses operating across the Atlantic. Businesses and consumers were left in legal limbo and uncertainty when Safe Harbor was rejected. It is about time that the businesses and their clients have legal certainty.”

The resolution should contribute to increased clarity for both businesses and individuals regarding data transfer between the EU and United States.