On 6th April, the European Parliament adopted a resolution on the “Adequacy of the Protection afforded by the EU-US Privacy Shield”. The resolution draws attention to previously identified and new concerns about the Privacy Shield framework and considers what the focus should be during the upcoming joint annual review of the Privacy Shield.
The resolution states that there has been a lack of clarity in terms of the commitment of the new US administration to the Privacy Shield arrangements due to various Executive Orders having been issued by the new US President Trump. One example is the Executive Order on ‘Enhancing public safety in the Interior of the US,” issued on 25th January 2017, which excludes foreign citizens from the protections of the US Privacy Act. The resolution considers that this Executive Order contradicts the written assurances that judicial redress mechanisms will be available to individuals whose personal data is accessed by the US authorities. The resolution calls for the EU Commission to carry out a detailed legal analysis of the consequences of the President’s Executive Order and its impact on the right of EU citizens to seek judicial redress in relation to US government agencies’ use of their personal data when it is transferred to the US under the Privacy Shield.
The resolution identifies a number of other serious concerns, in particular, that neither the Privacy Shield nor the US Administration’s letters of assurance demonstrate the existence of effective judicial redress rights in cases where EU personal data was accessed by law enforcement agencies. There is also a concern that the Privacy Shield is based on Presidential Policy Directive 28, which can be repealed by the President without consent of the US Congress.
The resolution states that the EU Parliament has strong doubts about assurances given by the Office of the Director of National Intelligence due to recent revelations that a US electronic communications provider was monitoring all emails reaching its servers at the request of US intelligence services. The resolution calls for the EU Commission to seek full clarification from the US authorities on the matter and expresses the EU Parliament’s dissatisfaction that the Privacy Shield does not prohibit the bulk collection of EU personal data for law enforcement purposes.
The Privacy Shield framework will be reviewed for the first time in September 2017. As part of this first joint EU-US annual review of the Privacy Shield, the EU Parliament calls on the EU Commission to: (1) review the necessity and proportionality of these bulk collection programmes; (2) monitor compliance with the requirement that EU personal data be deleted when no longer necessary for the purpose for which it was originally collected, including by law enforcement agencies; and (3) to ensure the Privacy Shield is amended in line with the EU General Data Protection Regulation, which will become enforceable in May 2018.
The EU-US Privacy Shield is also subject to various legal challenges before the Irish High Court based on allegations by privacy organisations that the arrangement fails to provide sufficient protections for the rights and freedoms of individuals in the EU whose personal data is transferred to the US under the Privacy Shield.