On October 18th and 19th, the second annual Privacy Shield assessment will be held. The discussions will unfold in a clearly less favorable context than when the Privacy Shield was created. This is reflected in the European Parliament’s resolution dated July 5th 2018, which called upon the Commission to suspend the Data Protection Shield until US authorities complied with the provisions of the agreement.
Let us recall that the Privacy Shield arose from the annulment by the European Union Court of Justice of the Commission’s 2000 / 520CE Decision dated July 26th 2000, which had concluded that the United States respected the Safe Harbor.
European judges considered that the conditions required to ensure an adequate level of protection for data transferred across the Atlantic were not respected. Following negotiations, the decision to implement (EU) 2016/1250 was adopted by the Council on July 12th 2016, after approval by the European Parliament. It took note of the adequate level of protection of personal data transferred from the EU to organizations in the United States under the EU-US Data Protection Shield. Thus the Privacy Shield replaced the Safe Harbor. The Privacy Shield was first revised in September 2017. Based on a report, the Commission considered on October 18th that “US authorities have set up the structures and procedures necessary to ensure the proper functioning of the shield data protection”. This glowing report was based in particular on the access to the new possibilities of taking legal action. However, European data protection authorities and independent bodies such as CNNum did not share this optimism.
The second revision, which is to begin shortly, will most likely be subject to more heated exchanges, considering the European Parliament’s position.
To justify in its resolution that the Data Protection Shield does not provide the adequate level of protection required by EU data protection law and the Charter of Fundamental Rights of the European Union, such as interpreted by the EU Court of Justice, the European Parliament makes several observations, among which:
- The EU-US Data Protection Shield is made up of several unilateral commitments and guarantees by the US administration, making clear, among other things, the principles of data protection, the functioning of surveillance, the enforcement of law and means of recourse and the protections and guarantees under which security agencies may have access to and process personal data. These commitments are not upheld;
- Although the Working Group’s “Article 29” dated November 28th 2017 entitled “EU-US Privacy Shield – First Annual Joint Review” duly notes the progress of the Data Protection Shield in regard to the invalidated decision relating to the Safe Harbor, “a number of issues, significant and of great concern, remain unresolved, regarding both the US government’s trade and its access to data transferred to the United States under the Data Protection Shield (whether for law enforcement or national security purposes) “;
- The mediation mechanism set up by the US State Department is not independent enough and does not have sufficiently effective powers to fulfill its mission and offer EU nationals efficient legal solutions;
- The various appeals procedures available to EU citizens can prove to be too complex, difficult to implement and ineffective;
- The lack of specific regulation and guarantees in the Data Protection Shield, in regard to decisions based on automated processing and profiling that have legal ramifications and/or significantly affect the individual;
- On January 11th, 2018, the US Congress amended and reauthorized Section 702 of the FISA without addressing concerns expressed by the Commission in its Joint Review Report and through the Working Group’s “Article 29”.
- Facebook Inc., Cambridge Analytica and SCL Elections Ltd are certified companies under the Data Protection Shield Data and, as such, have benefited from the adequacy decision as a legal basis for the transfer, with the purpose of subsequent processing, of personal data from the European Union to the United States. Yet Facebook has confirmed that the data of 2.7 million EU citizens appear in the data abusively used by the Cambridge Analytica policy consultant.
For all these reasons, the Parliament is increasingly worried that the European Union Court of Justice could invalidate the Commission’s (EU) 2016/1250 on the Data Protection Shield.
This is the context in which the second review of the Privacy Shield will open on October 18th and 19th, 2018. On July 26th, Justice Commissioner Věra Jourová wrote to Wilbur Ross, US Secretary of Commerce, to voice her concerns about the American administration’s tardiness in implementing Privacy Shield measures. The consideration of RGPD measures will also be a subject of debate with US authorities.