Apr 172017

EU Lawmakers Say That Privacy Shield Deficiencies Must Be Fixed Urgently

Colleen Theresa Brown, William RM Long and Thomas Fearon
, , , ,

On 6th April, 2017, the European Parliament adopted a resolution stating that there are deficiencies in the EU-US data transfer accord Privacy Shield which must be “urgently resolved” in order to give citizens and companies legal certainty. MEPs called on the EU Commission to conduct an assessment and to ensure that the Privacy Shield complies sufficiently with the EU Charter of Fundamental Rights and new EU data protection rules.  According to the resolution or related press release, MEPs are particularly concerned about:

  • “[R]ecent revelations about surveillance activities conducted by a US electronic communications service provider on all emails reaching its servers, upon request of the National Security Agency (NSA) and the FBI, as late as 2015, i.e. one year after Presidential Policy Directive 28 was adopted…”;
  • “[T]he ‘Procedures for the Availability or Dissemination of Raw Signals Intelligence Information by the National Security Agency under Section 2.3 of Executive Order 12333’, approved by the Attorney General on 3 January 2017, [which the MEPs interpret to permit] the NSA to share vast amounts of private data gathered without warrants, court orders or congressional authorisation with 16 other agencies”;
  • That the Ombudsperson mechanism set up by the US Department of State is “not sufficiently independent and is not vested with sufficient effective powers to carry out its duties and provide effective redress”;
  • The MEPs perceived lack of “effective judicial redress rights for individuals in the EU whose personal data are transferred to a US organization under the Privacy Shield Principles and further accessed and processed by US public authorities for law enforcement and public interest purposes,” in either the Privacy Shield Principles or letters from the US administration;
  • The rejection, in March, of the FCC Broadband Privacy Rules to heighten protections for the privacy of broadband customers; and
  • The purportedly diminishing authority of the Privacy and Civil Liberties Oversight Board.

The adoption of this resolution follows comments by the EU Justice Commissioner, Vera Jourova, at the end of March 2017, whereby she told Bloomberg that the US must, if it wishes to keep a European Union-U.S. cross border data transfer program in place, satisfy the EU that it will continue to be faithful to appropriate limitations on surveillance and privacy protection policies. Jourova, who stated that “privacy is valued highly and in a different way [in EU countries] than in the U.S.” has also said that, President Donald Trump “understands the economic importance” of the Privacy Shield and that there has been little reason to date “to doubt the commitment of the new government.”

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

William RM Long

London

wlong@sidley.com

Thomas Fearon

tfearon@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.