EU Parliament tells Commission Privacy Shield is likely illegal
Brussels, BE – Today, the European Parliament adopted its non-binding resolution on the Privacy Shield, a data-transfer arrangement between the EU and the US designed to replace the Safe Harbour mechanism that was invalidated more than six months ago by the Court of Justice of the EU (CJEU). In this resolution, the EU Parliament indicates that several provisions of the Privacy Shield are inconsistent with EU law and calls on the Commission to improve the framework.
Access Now trumpets the findings of the European Parliament and calls on the European Commission to act quickly to remedy the deficits of the arrangement. The European Commission negotiated the Privacy Shield with the United States, and is responsible for its provisions. Ultimately the Parliament cannot reject the arrangement — only the Article 31 Committee has that authority — but its warnings should be carefully heeded. Sixteen years ago the Parliament raised similar cautions with regard to the Safe Harbour framework, but was ignored. The invalidation of the Safe Harbour was, in some respects, a validation of the Parliament’s earlier opinion.
“Joining data protection experts, academics, and civil society, the EU Parliament has called for a Privacy Shield with additional protections for EU personal data,” said Estelle Massé, EU Policy Analyst at Access Now. “Let’s make sure that history doesn’t repeat itself. We call on the Commission to implement the recommendations put forward by the Parliament, this time around.”
The Privacy Shield now has to be evaluated by the Article 31 Committee, whose members represent each of the EU member states. The committee is expected to deliver a binding opinion on the Privacy Shield on June 20, which will either authorise the Commission to adopt the arrangement or not. If the Privacy Shield is adopted as is, it will likely be brought back before the CJEU because it does not provide adequate protection for fundamental rights.
“User trust in the digital economy requires a rights-protecting data transfer arrangement that can offer challenge-proof certainty for companies and individuals. Without additional protections, the EU Commission is setting itself up for the eventual failure of the Privacy Shield, undermining that trust and causing more embarrassment for the negotiators,” added Massé.
For our in-depth analysis of the Privacy Shield, see:
- Three facts about US surveillance the European Commission gets wrong in Privacy Shield
- Activating the EU-US Privacy Shield: To protect privacy, we need reform, not rebranding
Estelle Massé, EU Policy Analyst, Access Now