On 18 September 2017, US Secretary of Commerce Wilbur Ross and European Commissioner Vĕra Jourova will launch the first annual review of the EU-US Privacy Shield agreement (“Privacy Shield”). The review will be a two-day exercise where European Commission representatives meet their US counterparts to verify the correct implementation of the Privacy Shield.
The Privacy Shield provides a framework to ensure the protection of EU citizens’ personal data transferred for commercial purposes from the EU to the US. To date, approximately 2,500 US companies have self-certified under this data protection scheme.
Despite these numbers, the Privacy Shield has been under significant pressure during its first year, with:
- two ongoing challenges before the European Court of Justice (“ECJ”) (see case T-670/16 and case T-738/16);
- an Executive Order issued by the Trump administration on 25 January 2017 raising doubts about the commitment of the US to complying with its provisions;
- a resolution adopted by the European Parliament on 6 April 2017 highlighting its main perceived shortcomings; and
- a press release issued by the Working Party 29 (the association of EU data protection authorities) on 13 June 2017 questioning its robustness.
Meanwhile, on 26 July 2017, the ECJ declared that the draft agreement between the EU and Canada on the transfer of Passenger Name Record data could not be concluded in its current form. This draft agreement provides for the systematic transfer, retention and use of passenger data in the context of the fight against terrorism. The ECJ held that certain provisions of the draft agreement, in particular the provisions relating to automated analysis of personal data, are incompatible with EU privacy rules. Privacy advocates speculate that this ECJ ruling supports the position that the Privacy Shield would in its current version also be incompatible with the EU data protection framework. Indeed, the annulment proceedings against the Privacy Shield that are currently pending before the ECJ also relate to the tension between deploying mass surveillance and ensuring necessity and proportionality in the public interest.
On 25 August 2017, US President Trump nominated Mr Adam Klein as the new chair of the Privacy and Civil Liberties Oversight Board, a body deemed essential under the Privacy Shield to address EU individuals’ concerns about US surveillance programmes. This decision sparked some controversy within data privacy circles as Mr Klein is said to be in favour of allowing warrantless searches of US citizen data gathered through bulk data surveillance programmes under the US Foreign Intelligence Surveillance Act.
Despite these developments, the European Commission and the US Federal Trade Commission have consistently reiterated the importance of the Privacy Shield ahead of its first annual review. It is, however, fair to say that the European Commission is being pressured by the Working Party 29, the European Parliament and the ECJ to tackle the main issues surrounding the Privacy Shield.
Next week, EU representatives will have to discuss several key data protection topics and seek clarity from the US on, among other things:
- the conditions for onward transfers of EU citizens’ personal data from the US to other third countries;
- the independent nature of and the effectiveness of the powers vested in the Ombudsman mechanism;
- the extent and the effectiveness of the judicial redress rights of EU citizens before US agencies;
- the safeguards against bulk surveillance of personal data by US law enforcement agencies; and
- the recourse that EU citizens may have against automated decision-making by US companies.
The upcoming joint review does not aim at renegotiating the Privacy Shield altogether. However, if the European Commission comes to the conclusion that the Privacy Shield in its current form does not provide adequate protection, it could request a reopening of negotiations with the US.
Look out for the following developments that are expected to further shape the debate:
- the conclusions that will be drawn by the European Commission and the Federal Trade Commission following the joint review exercise;
- other reports that may be issued following the joint review (the Working Party 29 has already hinted that it may issue its own report); and
- the opinion of the Advocate General of the ECJ on the ongoing legal challenges to strike down the Privacy Shield, which will likely be delivered later this year.