Jun 142018

European Lawmakers Call on the EU to Suspend the EU-U.S. ‘Data Transfer’ Privacy Shield

Colleen Theresa Brown, William RM Long, Jasmine Agyekum, Cameron F. Kerry and Eleanor Dodding
, , , , , ,

On 11 June 2018, members of a Committee within the European parliament (“MEPs”) narrowly voted in favour of suspending the EU-U.S. Privacy Shield (“Privacy Shield”), an agreement that facilitates the transfer of personal data of EU data subjects to the U.S., unless the U.S. government fully complies with the Privacy Shield data protection requirements by 1 September 2018. Although the resolution is only a draft and has no legal effect, it reflects continued European concerns surrounding Privacy Shield.  

The resolution passed the European Parliament Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) by 29 votes to 25 with 3 abstentions.  LIBE passed a similar resolution by an identical vote prior to the annual review of the Privacy Shield in 2017.  This year, LIBE reiterated its general view that  the Privacy Shield does not provide an “adequate level of protection required by [EU] data protection’ law” and calls for its suspension. The Privacy Shield, adopted by the European Commission and U.S. Department of Commerce in July 2016, has enabled over 3,100 U.S. companies to certify under the Privacy Shield that they comply with EU data protection obligations in order to be able to transfer personal data of EU citizens to the U.S without breaching EU data protection laws.

The LIBE resolution adds issues that are likely to be major topics of the Commission review upcoming this year.  LIBE admonishes the U.S. for taking too long to appoint members to fill multiple vacancies on the U.S. Privacy Civil Liberties Oversight Board (“PCLOB”), an independent privacy oversight body, or to confirm the nomination of a Chairman. to the PCLOB, which the LIBE argues hinders the effective ‘adequate protection’ of the transfer of EU personal data to the U.S. In addition, the Resolution critiques the U.S. administration for not appointing a permanent Ombudsmen to chair the PCLOB, noting this “does not contribute to mutual trust” as the continuation of an interim Ombudsman creates the “view that in the absence of an appointed independent, experienced and sufficiently empowered Ombudsperson, the US assurances…would be null and void.

Currently, the PCLOB comprises one Board member, Elisabeth Collins, and lacks a quorum to take formal action.  The long-pending nomination of Adam Klein to chair the body has been reported favourably by the Senate Judiciary Committee and is awaiting a vote by the full Senate.  Two additional nominees for the Board had hearings in May, but Judiciary has not yet voted on these nominations.

Another source of tension appears to arise from the recent adoption of the Clarifying Lawful Overseas Use of Data Act or CLOUD Act (H.R. 4943) which has, in the view of the LIBE, created “potential conflict with…EU data protection laws” by expanding the ability of U.S. and foreign law enforcement to target and access personal data of EU data subjects across international borders. The CLOUD Act resolved an open question about whether the U.S. government could use a probable cause warrant issued under the U.S. Stored Communications Act (SCA) to compel companies to produce emails stored overseas.  The CLOUD Act attempts to address international comity issues with regard to cross-border data requests by permitting recipients of legal process under the amended SCA to file a motion to modify or quash the process if they believe (1) the individual whose records are being sought “is not a United States person and does not reside in the United States” and (2) “that the required disclosure would create a material risk” of violating the laws of qualifying foreign governments.

Opponents of the LIBE resolution, in particular, English MEP Dan Dalton, a member of the European Conservatives and Reformists Group in the European Parliament, have attacked the resolution reportedly calling it  “irresponsible” as the suspension “would in reality diminish the data protection rights of EU citizens and leave them in legal limbo”. Axel Voss, a German MEP and member of the European Peoples Party in the European Parliament, also argued the suspension would undermine “the essential basis for the functioning of a tool which benefits thousands of European companies and protects the data of European citizens,” raising the question of whether “revoking the Privacy Shield [would] really benefit anyone.

The draft resolution, which has no power to suspend the Privacy Shield in of itself, will be voted on by the entire European Parliament in July 2018. Even, if approved, the resolution will not take legal effect to invalidate the Privacy Shield. It would instead represent the European Parliament’s stated position on the Privacy Shield. The European Commission is required to take the position into account when reviewing the Privacy Shield later this year as part of its annual review, scheduled to take place in September 2018, into the effectiveness of the Privacy Shield in ensuring ‘adequate protection’ of EU citizens personal data when transferring such data to the U.S.

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

William RM Long

London

wlong@sidley.com

Jasmine Agyekum

jagyekum@sidley.com

Cameron F. Kerry

ckerry@sidley.com

Eleanor Dodding

London

edodding@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.