In a resolution adopted on 6 April 2017, Members of the European Parliament (“MEPs”) expressed their “alarm” over several recent changes to the US privacy law regime. The resolution, passed by 306 votes to 240 with 40 abstentions, comes amidst growing concerns that President Trump and the US Congress are withdrawing from commitments made by the Obama administration in relation to US obligations under the EU-US Privacy Shield.
By way of a reminder, the EU-US Privacy Shield provides a framework for EU-US personal data transfers. Privacy Shield is the replacement for the Safe Harbour data transfer scheme, which was declared unlawful by the Court of Justice of the European Union (“CJEU”) in Maximillian Schrems v Data Protection Commissioner (Case C-362/14).
The MEPs resolution notes “with great concern” the recent rule changes in the US which allow the “NSA to share vast amounts of private data gathered without warrants, court orders or congressional authorisation with 16 other agencies, including the FBI, the Drug Enforcement Agency and the Department of Homeland Security”. MEPs are also worried about the rejection of rules to protect the privacy of broadband customers by the Senate and the House of Representatives in March 2017, which “eliminates … rules that would have required internet service providers to get consumers’ explicit consent before selling or sharing web browsing data and other private information with advertisers and other private companies”. The resolution therefore calls on the “Commission to conduct, during the first joint annual review, a thorough and in-depth examination of all the shortcomings and weaknesses” of the Privacy Shield scheme.
As we noted in our last blog about this matter in September 2016 (see here), there are concerns that the Privacy Shield does not meet the requirements of EU law. Recent changes to US privacy laws have only heightened these concerns. Many increasingly believe that, in its current form, the CJEU is likely to declare the replacement scheme to be incompatible with EU law. Therefore the main aim of the resolution is to make sure that the Privacy Shield protects the personal data of EU citizens in order to comply with the EU Charter of Fundamental Rights and the soon to be effective General Data Protection Regulation so to avoid being successfully challenged.
The Privacy Shield is expected to be reviewed by the Commission in September 2017. It will be interesting to see whether this review, and the recommendations which may follow, will address MEPs concerns. Given that the principal shortcomings in the scheme lie with the approach of the Trump administration to privacy matters, it seems difficult to imagine what, if anything, the Commission will be able to do.