Out-Law News 2 min. read
31 Mar 2017, 5:12 pm
In a motion for a European Parliament resolution published earlier this week, the Parliament's Committee on Civil Liberties, Justice and Home Affairs expressed concern that the Privacy Shield contains shortcomings in relation to US bulk surveillance powers and judicial redress for EU citizens in the US, as well as limitations on the rights of data subjects and inconsistencies in wording compared with EU data protection law.
The motion warned that the concerns "could lead to a fresh challenge to the decision on the adequacy of the protection being brought before the courts in the future". Two separate legal challenges have already been lodged against the Privacy Shield.
The ability to transfer personal data outside the European Economic Area (EEA) is restricted under existing EU data protection laws set out in the Data Protection Directive, and similar restrictions will apply under the General Data Protection Regulation (GDPR) when it takes effect on 25 May 2018.
If 'adequate protections' are put in place for data transfers, or if special derogations apply, such as a data subject's consent has been obtained to the transfer of personal data, then data can flow. Personal data can also be transferred to destinations that the European Commission has pre-approved as providing data protection that is "essentially equivalent" to that on offer in the EU.
Last year, the European Commission set out its 'adequacy decision' in which it endorsed the view that EU-US data transfers handled in line with the Privacy Shield's requirements would comply with EU data protection laws.
However, the Committee on Civil Liberties, Justice and Home Affairs said a ruling by the EU's highest court late last year has called into question whether US bulk surveillance provides for "an essentially equivalent level of the protection of personal data and communications".
The MEPs also called on the Commission to ensure the US commitments to the Privacy Shield are "maintained" under the new US administration led by president Donald Trump. Earlier this week, EU justice commissioner Véra Jourová met US officials in Washington to discuss the Privacy Shield. According to a report by Bloomberg, Jourová called on the US government to reaffirm its commitment to the Privacy Shield.
The motion further called on the Commission to ensure the Privacy Shield is fully compliant with the GDPR and also looked ahead to the forthcoming annual review that will be carried out on the operation of the Privacy Shield.
It said the joint review, by EU and US officials, should consist of "a thorough and in-depth examination of all the shortcomings and weaknesses" highlighted in relation to the Privacy Shield by it and other such as EU data protection authorities, and "demonstrate how they have been addressed so as to ensure compliance with the EU Charter [of Fundamental Rights] and Union law".
In addition, it said that all members of the review team should have "full and unrestricted access to all documents and premises necessary for the performance of their tasks, including elements allowing a proper evaluation of the necessity and proportionality of the collection and access to data transferred by public authorities, for either law enforcement or national security purposes", and that they should be given the freedom to "express their own dissenting opinions in the final report".