On April 6, 2017, MEPs passed a resolution calling on the Commission to conduct a proper assessment to ensure that the Privacy Shield provides enough personal data protection for European citizens to comply with the EU Charter of Fundamental Rights and new EU rules on data protection. The Privacy Shield was laboriously negotiated and agreed in 2016 between the United States and the European Union to cover personal data transfers between these two markets crucial to world trade, in replacement of the previous Safe Harbor rules, which had been found by the European Court of Justice not to provide an adequate level of data protection.
The European MPs concern regards a number of issues including:
- new rules which entered into force in January 2017 allowing the US National Security Agency to share vast amounts of private data, gathered without court oversight, with a number of other agencies, including the FBI
- insufficient independence of the Ombudsperson mechanism, added to the fact that the Trump administration has not yet appointed a new Ombudsperson
- the fact that neither the Privacy Shield Principles nor letters from the US administration demonstrate the existence of effective judicial redress rights for EU individuals whose data are transferred to the US
- the vote of the US Congress to repeal rules adopted by the Federal Communications Commission during the Obama administration, which were due to come into force later this year, and would have obliged internet service providers to give users an information notice and obtain their consent before collecting and selling their personal data.
The Italian Data Protection Commissioner a few days earlier also expressed concern in relation to the repeal of the FCC rules. He pointed out that this is a regressive move, going against the increasingly prevailing trend worldwide in the direction of a greater protection of consumers’ data, since it allows providers to freely sell not only user profiles and purchase preferences, but even data revealing political and religious opinions and health data, classed in European law as sensitive data deserving a high level of protection. He said that this could have serious repercussions putting the Privacy Shield at risk.
The bill repealing the FCC rules was signed by President Trump only days after a speech to the Center for Strategic and International Studies in Washington by Vĕra Jourovà, EU Commissioner for Justice, Consumers and Gender Equality in which she emphasized the potential of the Privacy Shield to strengthen the transatlantic economy while reaffirming shared values, but stressed at the same time the importance of ensuring that its key foundations remain in place. The repeal of the FCC rules and the removal of the privacy protection they entailed does indeed raise doubts as to whether some of the key principles of the Privacy Shield, including the Notice Principle, the Choice Principle and the Data Limitation and Purpose Limitation Principle can be upheld.
The Justice Commissioner in her speech also particularly mentioned that “there would be no Privacy Shield without Presidential Policy Directive no. 28 and the Ombudsperson. Both are central elements of the representations and commitments on which the [Privacy Shield] framework is built”. The reference to Presidential Policy no. 28 (which sets out policies and procedures governing the safeguarding by US intelligence operators of personal information collected from signals intelligence activities, and extends to non-US citizens safeguards that require that surveillance of US citizens be limited to defined and legitimate purposes) may not have been casual, since the European MPs’s resolution also expresses concern in relation to recent revelations about surveillance activities conducted at the request of the NSA and FBI in 2015, a year after Presidential Policy Directive no. 28.
Later this year a monitoring of how the Privacy Shield is working in its day-to-day implementation will be commenced, but in view of the above concerns and, indeed, the report that on April 4, Angela Merkel said she would like to discuss international rules for internet data sharing at the upcoming G20 summit in Hamburg, it seems likely that the EU may take a further position on the Privacy Shield before that.