The Privacy Shield, proposed this past February and greeted with cautious optimism by European and U.S. regulators alike as a more robust “replacement” for the invalidated Safe Harbor framework, appears to be suffering death by a thousand paper cuts. Today’s European Parliament resolution (the “Resolution”) delivered the latest blow. The Resolution recommends that the European Commission continue to negotiate the terms of the Privacy Shield with U.S. officials to address certain “deficiencies.” Although the Resolution is non-binding, it is highly influential. Parliament’s major concerns include:
- U.S. government surveillance. Parliament does not believe that the Privacy Shield adequately addresses the ability of U.S. law enforcement to access personal data transferred from the EU.
- Bulk data collection. Parliament is concerned that the Privacy Shield will not prevent bulk data collection that may violate the “necessity” and “proportionality” requirements set forth in the EU Charter of Fundamental Rights.
- U.S. Ombudsperson. The Privacy Shield calls for the appointment of a U.S. Ombudsperson who would work closely with the U.S. State Department and other agencies to coordinate responses to complaints regarding the U.S. government’s use of EU citizens’ personal data. Parliament welcomes the establishment of this role, but it does not believe the position will be “sufficiently independent” or “vested with adequate powers to effectively exercise and enforce its duty.”
- Recourse. In addition to the appointment of a U.S. Ombudsperson, the Privacy Shield contemplates a system of binding arbitration for complaints and disputes. An arbitrator would be selected from a pool of 20 arbitrators designated by the U.S. Department of Commerce and the European Commission. Arbitrators would have the authority to provide individual-specific, nonmonetary equitable relief to complainants. Parliament finds these recourse mechanisms to be too complex and has urged the Commission and U.S. regulators to make the process more “user-friendly and effective.”
- Periodic reviews. Parliament also called on the Commission to conduct periodic “robust reviews” of the Privacy Shield adequacy decision, particularly in light of the recently passed General Data Protection Regulation, which takes effect in May 2018 and will impose significant new data privacy and security requirements on U.S. companies doing business in Europe.