On 11 June 2018, members of a Committee within the European parliament (“MEPs”) narrowly voted in favour of suspending the EU-U.S. Privacy Shield (“Privacy Shield”), an agreement that facilitates the transfer of personal data of EU data subjects to the U.S., unless the U.S. government fully complies with the Privacy Shield data protection requirements by 1 September 2018. Although the resolution is only a draft and has no legal effect, it reflects continued European concerns surrounding Privacy Shield.
The resolution passed the European Parliament Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) by 29 votes to 25 with 3 abstentions. LIBE passed a similar resolution by an identical vote prior to the annual review of the Privacy Shield in 2017. This year, LIBE reiterated its general view that the Privacy Shield does not provide an “adequate level of protection required by [EU] data protection’ law” and calls for its suspension. The Privacy Shield, adopted by the European Commission and U.S. Department of Commerce in July 2016, has enabled over 3,100 U.S. companies to certify under the Privacy Shield that they comply with EU data protection obligations in order to be able to transfer personal data of EU citizens to the U.S without breaching EU data protection laws.
The LIBE resolution adds issues that are likely to be major topics of the Commission review upcoming this year. LIBE admonishes the U.S. for taking too long to appoint members to fill multiple vacancies on the U.S. Privacy Civil Liberties Oversight Board (“PCLOB”), an independent privacy oversight body, or to confirm the nomination of a Chairman. to the PCLOB, which the LIBE argues hinders the effective ‘adequate protection’ of the transfer of EU personal data to the U.S. In addition, the Resolution critiques the U.S. administration for not appointing a permanent Ombudsmen to chair the PCLOB, noting this “does not contribute to mutual trust” as the continuation of an interim Ombudsman creates the “view that in the absence of an appointed independent, experienced and sufficiently empowered Ombudsperson, the US assurances…would be null and void.”
Currently, the PCLOB comprises one Board member, Elisabeth Collins, and lacks a quorum to take formal action. The long-pending nomination of Adam Klein to chair the body has been reported favourably by the Senate Judiciary Committee and is awaiting a vote by the full Senate. Two additional nominees for the Board had hearings in May, but Judiciary has not yet voted on these nominations.
Another source of tension appears to arise from the recent adoption of the Clarifying Lawful Overseas Use of Data Act or CLOUD Act (H.R. 4943) which has, in the view of the LIBE, created “potential conflict with…EU data protection laws” by expanding the ability of U.S. and foreign law enforcement to target and access personal data of EU data subjects across international borders. The CLOUD Act resolved an open question about whether the U.S. government could use a probable cause warrant issued under the U.S. Stored Communications Act (SCA) to compel companies to produce emails stored overseas. The CLOUD Act attempts to address international comity issues with regard to cross-border data requests by permitting recipients of legal process under the amended SCA to file a motion to modify or quash the process if they believe (1) the individual whose records are being sought “is not a United States person and does not reside in the United States” and (2) “that the required disclosure would create a material risk” of violating the laws of qualifying foreign governments.
Opponents of the LIBE resolution, in particular, English MEP Dan Dalton, a member of the European Conservatives and Reformists Group in the European Parliament, have attacked the resolution reportedly calling it “irresponsible” as the suspension “would in reality diminish the data protection rights of EU citizens and leave them in legal limbo”. Axel Voss, a German MEP and member of the European Peoples Party in the European Parliament, also argued the suspension would undermine “the essential basis for the functioning of a tool which benefits thousands of European companies and protects the data of European citizens,” raising the question of whether “revoking the Privacy Shield [would] really benefit anyone.”
The draft resolution, which has no power to suspend the Privacy Shield in of itself, will be voted on by the entire European Parliament in July 2018. Even, if approved, the resolution will not take legal effect to invalidate the Privacy Shield. It would instead represent the European Parliament’s stated position on the Privacy Shield. The European Commission is required to take the position into account when reviewing the Privacy Shield later this year as part of its annual review, scheduled to take place in September 2018, into the effectiveness of the Privacy Shield in ensuring ‘adequate protection’ of EU citizens personal data when transferring such data to the U.S.