#PrivacyShield: MEPs alarmed by US developments that undermine privacy safeguards #DataProtection
New rules allowing the US National Security Agency (NSA) to share private data with other US agencies without court oversight, recent revelations about surveillance activities by a US electronic communications service provider and vacancies on US oversight bodies are among the concerns raised by MEPs in a resolution passed on Thursday.
In the resolution, adopted by 306 votes to 240, with 40 abstentions, MEPs call on the EU Commission to conduct a proper assessment and ensure that the EU-US “Privacy Shield” for data transferred for commercial purposes provides enough personal data protection for EU citizens to comply with the EU Charter of Fundamental Rights and new EU data protection rules. The first annual review of the Privacy Shield framework is expected in September.
"This resolution aims to ensure that the Privacy Shield stands the test of time and that it does not suffer from critical weaknesses”, said Civil Liberties Committee Chair Claude Moraes (S&D, UK). “We acknowledge the significant improvements made compared to the former EU-US Safe Harbour, but there are clearly deficiencies that remain to be urgently resolved to provide legal certainty for the citizens and businesses that depend on this agreement”, he added.
MEPs are particularly worried about:
new rules that from January 2017 allow the NSA to share vast amounts of private data, gathered without warrant, court orders or congressional authorisation, with 16 other agencies, including the FBI,
the rejection of rules to protect the privacy of broadband customers by the Senate and the House of Representatives in March, which “ eliminates (…) rules that would have required internet service providers to get consumers’ explicit consent before selling or sharing web browsing data and other private information with advertisers and other private companies”,
vacancies on the Privacy and Civil Liberties Oversight Board, which means that it lost its quorum on 7 January, making it more limited in its authority, while at the same time the Federal Trade Commission, which enforces the Privacy Shield, has three of its five seats vacant,
insufficient independence of the Ombudsperson mechanism set up by the US Department of State plus the fact that the incoming US administration has not appointed a new Ombudsperson , and
the fact that neither the Privacy Shield Principles nor letters from the US administration demonstrate the existence of effective judicial redress rights for EU individuals whose data are transferred to the US.
EDRi, the European Digital Rights organisation point out that the EU/US Privacy Shield has already been brought to the European Court of Justice (CJEU) by two advocacy groups: EDRi member Digital Rights Ireland (case number T-670/16) and EDRi observer La Quadrature du Net (case number T-738/16). If the CJEU applies the same reasoning as for the former Safe Harbour agreement, the Privacy Shield will need a replacement very soon. It is to be hoped that the EC is preparing the contingency plan to resolve this situation as soon as possible and not wait (again, like it did with the Safe Harbour and the two Data Retention rulings) until it is forced to act by the Court of Justice. If the Commission does this then maybe, finally, fundamental rights can be protected on both sides of the Atlantic and both citizens and businesses can enjoy the benefits of increased trust in the online environment.
The Privacy Shield is the successor to the 2000 Safe Harbour decision, which was invalidated by an EU Court of Justice ruling of 6 October 2015 (Schrems case).
The EU Commission responded by negotiating the new Privacy Shield arrangement to ensure “adequate” protection of personal data transferred and stored by companies in the US. This new framework for EU-US data transfers was adopted in July 2016. So far, more than 1,900 companies have joined the scheme.
Share this article: