Further to our last blog of 26 April 2016, we have three updates on the EU-US Privacy Shield.
Firstly, MEPs have passed a non-legislative resolution calling on the European Commission (the Commission) to remedy “deficiencies” in its proposals for the EU-US Privacy Shield.
Secondly, the Irish Data Protection Commissioner (the Commissioner) has announced its intention to seek declaratory relief in the Irish High Court and a referral to the CJEU to determine the legal status of data transfers under so-called Standard Contractual Clauses.
Thirdly, Giovanni Buttarelli, the European Data Protection Supervisor (the EDPS) has published an opinion warning that the EU-US Privacy Shield is not “robust enough to withstand future legal scrutiny before” the CJEU. All three items are discussed below. Before doing so, a brief reminder about the EU-US Privacy Shield may be helpful.
As we have discussed previously (see here and here), the EU-US Privacy Shield is meant to replace “Safe Harbour”, the now defunct framework for EU-US data transfers. Safe Harbour was declared unlawful by the CJEU inMaximillian Schrems v Data Protection Commissioner (Case C 362/14). Until Privacy Shield is fully implemented one way to transfer data outside the EU is by way of “Standard Contractual Clauses”. These are essentially model contract clauses approved by the Commission governing EU-US data protection transfers.
1. The MEPs resolution
On 26 May 2016, Members of the European Parliament (MEPs) passed a non-legislative resolution criticising aspects of Privacy Shield. In the resolution, passed by 501 votes to 119 (with 31 abstentions), MEPs welcome the efforts of the Commission and the US administration to achieve “substantial improvements” in the Privacy Shield compared to Safe Harbour. However, MEPs also express their concerns about the proposed framework including:
- US authorities’ access to data transferred under the Privacy Shield;
- the proposed US ombudsperson, which MEPs believe to be neither “sufficiently independent”, nor “vested with adequate powers to effectively exercise and enforce its duty”; and
- the complexity of the redress mechanism, which the Commission and US administration need to make more “user-friendly and effective”.
MEPs also called for the Commission to conduct “robust reviews” of the Privacy Shield to ensure adequate consumer protection, particularly following recent revisions to the EU Data Protection Regulation due to come into effect in two years’ time.
2. The Commissioner’s referral
On 25 May 2016, the Commissioner said it would refer a question to the CJEU to determine whether model contract clauses remain a lawful way of transferring data from the EU to the US in light of the CJEU’s ruling inMaximillian Schrems v Data Protection Commissioner. In order for the question to be referred to the CJEU, the Commissioner has to first seek a declaratory judgement in the Irish High Court which, if granted, would see the Irish High Court refer the matter to the CJEU.
The Commissioner (which was of course the defendant in Maximillian Schrems v Data Protection Commissioner) now suggests that model contract clauses do not offer EU citizens suitable redress if they feel their rights under EU law have been infringed. If the CJEU agrees with this analysis, and so declares the model contract clauses unlawful, there would (until Privacy Shield comes into force) be a great number of difficulties in lawfully transferring data from the EU to the US. Of course, it is also possible that the CJEU might declare that the model contract clauses were only unlawful for certain types of data transfer to the US.
3. The EDPS opinion
On 30 May 2016, Giovanni Buttarelli, the EDPS, warned in a written opinion that the Commission’s draft adequacy decision was “not robust enough to withstand future legal scrutiny before the” CJEU. He said the Commission should make “significant improvements” to the new framework and should obtain additional reassurances from the US “in terms of necessity and proportionality”. The EDPS (perhaps rather optimistically – see below for our comments) called on the Commission “to develop a longer term solution” in the “transatlantic dialogue” regarding data transfers.
As we noted in our last blog, we are sceptical about the willingness of the Commission or the US administration to re-open negotiations, especially so given that the US is about to engulfed in presidential and congressional elections. There is little political will on either side of the Atlantic to re-open this data protection Pandora’s Box.
The CJEU is likely to take some time to consider the Commissioner’s question (we don’t know what the exact question is yet).
Our next update is likely to come around mid to late June 2016. The Article 29 Working Party (WP29), which has previously been sceptical about Privacy Shield, must approve the new framework before the Commission can adopt it. The WP29 is due to meet in early June and a vote could be taken then. Although the EDPS’s opinion is not binding on WP29, his views are likely to be highly persuasive.