On the 6th April, a resolution passed in European court instigating a review of the EU-US data transfer agreement, Privacy Shield. MEPs are concerned about recent privacy developments in the US which do not reflect the EU’s attitudes towards data protection.
Source: European Commission
Background and purposes
The Privacy Shield arrangement was approved in July 2016, after a previous agreement, Safe Harbour Decision, was invalidated by a Court of Justice of the European Union ruling in October 2015. Since then, Privacy Shield has faced two legal challenges from privacy rights groups in Ireland and France.
The purpose of the deal is to allow the transfer of data between the EU and the US, bypassing the EU’s Data Protection Directive 95/46/EC , which prohibits personal data to be transferred from Europe to a third country, unless it “ensures an adequate level of protection”. By self-certifying under Privacy Shield, organisations can be said to provide adequate protection.
“We have to ensure the proper day-to-day implementation and robust follow-up of the Privacy Shield.”
– Věra Jourov, EU justice commissioner.
In particular, Privacy Shield requires organisations to commit to the protection of EU citizens’ personal data and renegotiate their contracts with parties involved with the transfer or processing of data. Those who provide privacy policies, contact details and demonstrate the relevant compliance are certified and listed here. Certification is intended to provide clarity for businesses on personal data transfer and to ensure the safety and standards of EU law.
- give notice to individuals of the type of data collected, their rights to access, recourse mechanisms available and third party transfers;
- provide choice, allowing data subjects to opt out of third party processing and opt in for sensitive personal data processing;
- ensure that third party data transfers meet the same standard, by imposing additional contractual provisions and eventually be liable for the third party’s breach;
- sufficiently protect personal data;
- only collect data “relevant for the purposes of processing” and commit to the arrangement even after certification has expired;
- provide access to personal data and the ability to amend, correct or delete inaccurate/misused data.
Developments, criticisms and changing political horizons
Privacy Shield is due for its annual review in September 2017, as Věra Jourov, EU justice commissioner, confirmed at the end of March. Following this, the European Parliament resolution expressing “alarm” over privacy changes passed with 306 votes to 240 with 40 abstentions.
MEPs have cited news of surveillance activities by US electronic communications service providers and new rules which allow the US National Security Agency to share data with other US agencies without permission from courts as particular concerns. The “insufficient independence” of the US’ Ombudsperson mechanism, which is meant to provide effective judicial redress rights for EU individuals also came under fire. Also mentioned was the lack of person fulfilling the role of Ombudsperson since July 2016.
“There are clearly deficiencies that remain to be urgently resolved to provide legal certainty for the citizens and businesses that depend on this agreement”,
– Claude Moraes, Civil Liberties Committee Chair.
Privacy advocate Nigel Hawthorn of Skyhigh Networks told Infosecurity: “In order to mitigate the uncertainty that seemingly isn’t going anywhere any time soon, organisations in Europe may have to vote with their wallets and reduce the amount of data going to the US, or invest in technologies that encrypt data before it is transferred.”
Given this detailed resolution, there is significant work cut out for those reviewing Privacy Shield in September. President Trump has demonstrated that his interest in privacy rights of citizens is limited, certainly when it comes to national security. His failure to fill the post of Privacy Shield Ombudsperson and vacancies on the Privacy and Civil Liberties Oversight Board and the Federal Trade Commission (which enforces Privacy Shield) isn’t promising for European citizen’s privacy rights. The repeal of Obama-era broadband rules at the beginning of April adds to further concern that the review might face further political pressure from the US.
Like this post? Subscribe to our weekly newsletter here to be updated with all news privacy, Cognitiv+ and more.