The Privacy Shield was adopted on July 12th, 2016 between the United States and the European Union (EU). It is now however being questioned by the European Parliament which passed a motion for a resolution on the adequacy of the protection afforded by the Privacy Shield. It stated that if companies based in the United States do not comply with the Privacy Shield by September 1st, 2018, it would call on the Commission to suspend the Privacy Shield until they comply.
This could therefore be the end of the Privacy Shield which in turn implies critical questions regarding personal data transfers between the EU and the United States. The European Parliament underlines in its motion for a resolution the importance of personal data transfers in transatlantic relations in light of the ever-increasing digitalisation of the global economy. The end of the Privacy Shield could have dire consequences on relations between the United States and the EU namely regarding commerce.
Let us recall that the Privacy Shield was adopted to address the regulatory void following the invalidation of the Safe-Harbor Framework by the Court of Justice of the EU (case Maximillian Schrems v. Data Protection Commissioner, C‑362/14, 6th of October 2015). The Safe-Harbor Framework regulated the personal data transfers between the United States and the EU.
Mathias Avocats draws an overview of the Privacy Shield Principles and underlines the key points in the motion for a resolution of the European Parliament.
What is the Privacy Shield ?
The Privacy Shield is a self-certification mechanism for companies established in the United States. It has been recognised by the European Commission as providing an adequate level of protection for personal data transferred by a European entity to companies established in the United States. Thus, the Privacy Shield sets a framework for personal data transfers of European data subjects to organisations in the United States. A list of companies considered as complying with the Privacy Shield Principles is available on the official website.
For them to appear on said list they must comply with the Principles (ex: the notice principle which requires organisations to provide certain information to data subjects, the security principle under which organisations must take reasonable and appropriate security measures considering the risks involved with the processing, data minimisation, etc.). These requirements ensure a similar level of protection for the personal data of European data subjects on both sides of the Atlantic.
It must be underlined that while joining the Privacy Shield is voluntary, once an eligible organisation makes the public commitment to comply with the Privacy Shield’s requirements, the commitment will become enforceable under United States law.
What are the main weaknesses of the Privacy Shield ?
In a few words, the European Parliament highlights the persisting weaknesses of the Privacy Shield regarding the respect of the fundamental rights of European data subjects. It namely states the complexity and difficulty of the various procedures for EU citizens and the lack of transparency of the information provided by companies based in the United States on the Privacy Shield and the personal data processing activities they carry out.
In light of Regulation n°2016/679, called the General Data Protection Regulation or GDPR, the lack of transparency of the Privacy Shield is a violation of data subjects’ rights (Article 12 of the GDPR). Furthermore, the Regulation greatly enhances data subjects’ rights which implies that the weaknesses underlined by the European Parliament are all the more important.
Another important point raised in the motion for a resolution is consent. The notion has become more stringent under the GDPR. For example, opt-out constructions are now an invalid mean for requesting consent. The Privacy Shield Principles however do not follow the new EU model. The European Parliament urges for authorities on both side of the Atlantic to provide more specific guidance on the Privacy Shield Principles to ensure compliance with the Regulation and ensure the protection of data subjects’ rights.
The European Parliament grounded its observations on the current situations regarding personal data protection in the United States. It analysed the Facebook and Cambridge Analytica case to illustrate the lack of transparency and the clear non compliance with Privacy Shield Principles. It therefore considers that the Privacy Shield mechanisms does not provide adequate protection of the right to data protection.
It also expresses its strong concern as to the adoption of the Clarifying Lawful Overseas Use of Data Act (Cloud Act) which expands the abilities of the United States Government to access personal data stored abroad. The European Parliament underlines that the lack of safeguards provided for in the Cloud Act for personal data transfers may create a potential conflict with EU data protection laws. The European Parliament further stated its disapproval of the United States’ decision to extended Section 702 of the Foreign Intelligence Surveillance Act (FISA Act) which enables the United States Government to target non United States persons outside of the United States without first consulting the EU and without incorporating the Privacy Shield Principles. These issues have also been analysed by Mathias Avocats in its latest White paper.
The European Parliament’s motion for a resolution is a strong political stand warning the United States that it must change its personal data protection practices and comply with EU standards. It will nonetheless fall upon the Court of Justice of the EU to decide whether or not the Privacy Shield should be invalidated.
Mathias Avocats will keep you informed of any further developments.