On July 5, the European Parliament passed a non-binding resolution, asking the European Commission, the EU’s executive body, to suspend the Privacy Shield framework. The EU-US Privacy Shield, designed by the US Department of Commerce and the European Commission, provides a mechanism for companies to transfer personal data between the EU and the US while remaining compliant with EU data protection laws. The European Commission passed the data-sharing privacy framework on July 12, 2016, after its precursor, Safe Harbor, was struck down by the European Court of Justice on October 6, 2015. Since the European Parliament’s resolution is non-binding, the European Commission could choose to ignore it. However, the Commission will no doubt take the Parliament members’ concerns into consideration in its annual review of the Shield which is due in September. Further discussions on whether to renegotiate the Privacy Shield is also on the table since the Shield is based on the now defunct EU directive 95/46, which the European Union General Data Protection Regulation replaced when it went into effect on May 25, 2018.
The Parliament’s resolution cites a number of reasons for asking the Commission to suspend the Privacy Shield pending US compliance, including the recent reauthorization and amendment of Section 702 of the Foreign Intelligence Surveillance Act (“FISA”) which allows US intelligence agencies to collect information on non-US persons located outside of the US and the March 2018 Clarifying Overseas Use of Data (“CLOUD”) Act, which allows US law enforcement agencies to access personal data stored abroad. The resolution also cites the improper use of 2.7 million EU citizens Facebook data by Cambridge Analytica, and the failure of the US to appoint a sufficiently independent ombudsperson as required by the Privacy Shield and gives a deadline of September 1, 2018 for the US to become fully compliant. According to the Parliament, the Privacy Shield “does not provide the adequate level of protection.”
Despite the Parliament Members’ call for a suspension, it does not appear that a full suspension of the Privacy Shield program is likely. A spokesperson for the European Commission has stated that although “there is some room for improving [the Privacy Shield’s] implementation . . . [the Commission] will continue to work to keep the Privacy Shield running.” The resolution by the Parliament does, however, add to the mounting pressure by the Shield’s critics to renegotiate the agreement and create uncertainty for the 3,300 plus US companies that rely on the framework to transfer personal data between the US and the EU.
This resolution comes after the High Court of Ireland referred a case challenging a major social media company’s data-transfer methods and the Privacy Shield to the European Court of Justice. The case presents a threat to the Privacy Shield framework and will be closely followed by US and European businesses.
The FTC has brought four enforcement actions under the Privacy Shield framework (one of which is the settlement announced on July 2 against a California company which allegedly made a false claim that it was in the process of being certified as complying with the Privacy Shield framework). The FTC has entered into consent decrees with more than 50 companies accused of lax data security since 2008 but its ability to bring enforcement actions took a hit recently in the 11th US Circuit Court of Appeal’s ruling on June 6, 2018, in LabMD, Inc. v. Federal Trade Commission. In a milestone ruling, the 11th Circuit said the FTC’s cease and desist order against LabMD, a cancer-screening company that went out of business in the course of litigating against the commission, was unenforceable because it required the company to meet a vague standard of reasonableness. If the ruling stands, it would significantly constrain the FTC’s ability to bring enforcement actions and will require the FTC to find a specific fact or circumstance that ties to the Constitution, statute or common law violation and not simply bring a general data security claim. With the FTC designated as the agency responsible for enforcing the Privacy Shield framework, the courts’ interpretation of the FTC’s enforcement powers will be closely watched by both the US and European regulators.
While it is unlikely at this time that the European Commission will suspend the Privacy Shield, the European Parliament’s resolution creates further friction between the US and the EU related to data sharing across the Atlantic.
Moreover, the resolution further highlights the EU’s ongoing dissatisfaction with the US’s approach to privacy. While the dissatisfaction generally stems from the US’s legislative agenda which is viewed by the European critics as favoring national security concerns over privacy rights, there is also a general perception in the EU that the privacy protections in the U.S. are not adequately enforced. For companies that are engaged in data transfers between the EU and the US, we will continue to monitor challenges to the EU-US Privacy Shield framework.
Special thanks to Philippe Schiff* for his assistance in drafting this post.
*Summer associate – not admitted to practice law.