Jun 142018

European Lawmakers Call on the EU to Suspend the EU-U.S. ‘Data Transfer’ Privacy Shield

Colleen Theresa Brown, William RM Long, Jasmine Agyekum, Cameron F. Kerry and Eleanor Dodding
, , , , , ,

On 11 June 2018, members of a Committee within the European parliament (“MEPs”) narrowly voted in favour of suspending the EU-U.S. Privacy Shield (“Privacy Shield”), an agreement that facilitates the transfer of personal data of EU data subjects to the U.S., unless the U.S. government fully complies with the Privacy Shield data protection requirements by 1 September 2018. Although the resolution is only a draft and has no legal effect, it reflects continued European concerns surrounding Privacy Shield.  

The resolution passed the European Parliament Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) by 29 votes to 25 with 3 abstentions.  LIBE passed a similar resolution by an identical vote prior to the annual review of the Privacy Shield in 2017.  This year, LIBE reiterated its general view that  the Privacy Shield does not provide an “adequate level of protection required by [EU] data protection’ law” and calls for its suspension. The Privacy Shield, adopted by the European Commission and U.S. Department of Commerce in July 2016, has enabled over 3,100 U.S. companies to certify under the Privacy Shield that they comply with EU data protection obligations in order to be able to transfer personal data of EU citizens to the U.S without breaching EU data protection laws.

The LIBE resolution adds issues that are likely to be major topics of the Commission review upcoming this year.  LIBE admonishes the U.S. for taking too long to appoint members to fill multiple vacancies on the U.S. Privacy Civil Liberties Oversight Board (“PCLOB”), an independent privacy oversight body, or to confirm the nomination of a Chairman. to the PCLOB, which the LIBE argues hinders the effective ‘adequate protection’ of the transfer of EU personal data to the U.S. In addition, the Resolution critiques the U.S. administration for not appointing a permanent Ombudsmen to chair the PCLOB, noting this “does not contribute to mutual trust” as the continuation of an interim Ombudsman creates the “view that in the absence of an appointed independent, experienced and sufficiently empowered Ombudsperson, the US assurances…would be null and void.

Currently, the PCLOB comprises one Board member, Elisabeth Collins, and lacks a quorum to take formal action.  The long-pending nomination of Adam Klein to chair the body has been reported favourably by the Senate Judiciary Committee and is awaiting a vote by the full Senate.  Two additional nominees for the Board had hearings in May, but Judiciary has not yet voted on these nominations.

Another source of tension appears to arise from the recent adoption of the Clarifying Lawful Overseas Use of Data Act or CLOUD Act (H.R. 4943) which has, in the view of the LIBE, created “potential conflict with…EU data protection laws” by expanding the ability of U.S. and foreign law enforcement to target and access personal data of EU data subjects across international borders. The CLOUD Act resolved an open question about whether the U.S. government could use a probable cause warrant issued under the U.S. Stored Communications Act (SCA) to compel companies to produce emails stored overseas.  The CLOUD Act attempts to address international comity issues with regard to cross-border data requests by permitting recipients of legal process under the amended SCA to file a motion to modify or quash the process if they believe (1) the individual whose records are being sought “is not a United States person and does not reside in the United States” and (2) “that the required disclosure would create a material risk” of violating the laws of qualifying foreign governments.

Opponents of the LIBE resolution, in particular, English MEP Dan Dalton, a member of the European Conservatives and Reformists Group in the European Parliament, have attacked the resolution reportedly calling it  “irresponsible” as the suspension “would in reality diminish the data protection rights of EU citizens and leave them in legal limbo”. Axel Voss, a German MEP and member of the European Peoples Party in the European Parliament, also argued the suspension would undermine “the essential basis for the functioning of a tool which benefits thousands of European companies and protects the data of European citizens,” raising the question of whether “revoking the Privacy Shield [would] really benefit anyone.

The draft resolution, which has no power to suspend the Privacy Shield in of itself, will be voted on by the entire European Parliament in July 2018. Even, if approved, the resolution will not take legal effect to invalidate the Privacy Shield. It would instead represent the European Parliament’s stated position on the Privacy Shield. The European Commission is required to take the position into account when reviewing the Privacy Shield later this year as part of its annual review, scheduled to take place in September 2018, into the effectiveness of the Privacy Shield in ensuring ‘adequate protection’ of EU citizens personal data when transferring such data to the U.S.

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

William RM Long

London

wlong@sidley.com

Jasmine Agyekum

jagyekum@sidley.com

Cameron F. Kerry

ckerry@sidley.com

Eleanor Dodding

London

edodding@sidley.com

You might also like
U.S. Employers Need to Reconsider Use of Confidentiality and Nondisparagement Provisions in Light of New NLRB Decision

Employers frequently seek to include confidentiality and nondisparagement provisions in severance agreements provided to departing employees. Last week, the U.S. National Labor Relations Board (NLRB or Board) significantly altered the legal landscape governing such provisions, making it much more difficult for unionized and nonunionized employers alike to use them for nonsupervisory employees without running afoul of the National Labor Relations Act (NLRA). The decision is likely to be appealed, and we will issue updates as they become appropriate. In the interim, however, it is critically important for employers to understand the implications of the decision (see below) and to adjust their use of these provisions to limit their risk.

Substantial changes to Hong Kong’s privacy laws coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.

New FTC Guidance for Mobile Health Apps

Healthcare providers, health plans, and technology companies that use mobile health apps to access, collect, share, use, or maintain information related to an individual’s health should take note of the recently issued Federal Trade Commission (FTC) Mobile Health App Interactive Tool. The purpose of the tool is to help mobile health developers determine the federal regulatory, privacy, and security laws and regulations that may apply to the use of a consumer’s health information, such as information related to diagnosis, treatment, fitness, wellness, or addiction. While the tool should not be considered legal advice and cannot guarantee compliance with legal requirements, it can help healthcare providers, health plans, and technology companies issue-spot to manage risk in this heavily regulated space.