The EU-US Privacy Shield framework, which has faced a barrage of criticism since its approval in July, took another hit last week when the European Parliament’s Civil Liberties, Justice, and Home Affairs Committee (“LIBE Committee”) narrowly voted in favor of a resolution declaring the Privacy Shield inadequate. In a vote of 29 to 25, with one abstention, the Committee approved the resolution, which identifies numerous deficiencies the Committee believes are inherent in the Privacy Shield agreement. The LIBE Committee is seeking a thorough review of the Privacy Shield agreement by the European Commission during the first annual joint review of the Privacy Shield, which is set to occur this summer.
The Privacy Shield provides a mechanism for US-based companies to transfer personal data from the EU to the US. It is a voluntary regime, in which companies self-certify compliance with the requirements of the program. To date, over 1,800 companies have self-certified.
Despite recognizing the Privacy Shield’s improvement over its predecessor, the Safe Harbor framework, key deficiencies in the Privacy Shield framework identified by the Committee include the voluntary nature of the program (meaning not all US companies must abide by its terms) and that many companies that self-certify use US-based arbitrators. According to the LIBE Committee resolution, the use of US-based arbitrators could make it difficult in practice for EU citizens to remedy missuses of their personal data, reports stated.
Mass surveillance by the US government is also a major concern for the LIBE Committee. “[T]he Privacy Shield doesn’t prevent US authorities from carrying out ‘the bulk collection of personal data for national security purposes’” Claude Moraes, the Committee’s chair and resolution sponsor stated, according to reports. Further, the Committee expressed concern that the ombudsperson to be set up at the US Department of State to handle national security complaints will not be sufficiently independent or have adequate power to carry out his or her duties. According to the Committee, details surfacing in October of last year about mass email scanning at the direction of US intelligence officials has caused strong doubts about “the assurances of the US Director of National Intelligence in the Privacy Shield context.”
The LIBE Committee resolution is just the latest in a string of criticisms that the Privacy Shield has faced since its inception. In the Fall, two advocacy groups— Digital Rights Ireland, and the French privacy advocacy group La Quadrature du Net—lodged challenges in the EU General Court, the lower court of the Court of Justice of the European Union, against the Adequacy Decision of the European Commission regarding the Privacy Shield agreement. The groups allege that the adequacy decision is incompatible with the Charter of Fundamental Rights of the European Union and does not provide sufficient protections for EU citizens. Those cases could take a year or more to resolve.
The LIBE Committee’s resolution will likely come for a vote before the whole European Parliament in April. The resolution is provisional until approved by the full European Parliament.