In March, we discussed the proposed EU-US Privacy Shield in our blog.
At the time, the EU and US had just reached an agreement in principle and the European Commission (EC) released a draft “adequacy decision” regarding the proposed framework. The Privacy Shield is a regulatory framework designed to enable US companies to comply with strict EU digital privacy laws. It replaces the invalidated “Safe Harbour” agreement.
In the intervening months, several EU institutions expressed dissatisfaction with the proposed Privacy Shield. On April 13th, the Article 29 Working Party published a critical opinion stating that the EC had overlooked “key data protection principles”. In particular, the Working Party took issue with the proposal’s lack of transparency and lack of a data retention limitation. While the Working Party’s decisions are not binding, they are influential.
On May 26th, Members of the European Parliament (MEPs) also expressed their dissatisfaction in a resolution, approved by a 501 to 119 vote. The resolution urged the EC to address the proposed Privacy Shield’s “deficiencies” through further negotiation. The deficiencies identified included the possibility of mass surveillance and the complexity of the redress mechanism.
On May 30th the European Data Protection Supervisor (EDPS), Giovanni Buttarelli, issued an opinion and a series of recommendations to improve the Privacy Shield.
The Opinion encourages the EC to take a firm line in negotiations. This is especially the case on the issue of surveillance. On US intelligence activities, Buttarelli wrote that:
access and use by public authorities of data transferred for commercial purposes, including when in transit, should only take place as an exception and where indispensable for specified public interest purposes.
Given the MEP resolution, and Buttarelli’s opinion, it will be interesting to see how the negotiations continue to unfold.