EU-U.S. Data Transfer Turmoil Continues: “Privacy Shield” Needs Improvement - EU Model Clauses Might Be Invalidated by ECJ

In a May 26, 2016 resolution, the European Parliament (EP) recommended that the European Commission should continue negotiating with the U.S. to improve the draft “EU-U.S. Privacy Shield” (“Privacy Shield”), the EU-U.S. data transfer mechanism intended to replace the invalidated “U.S.-EU Safe Harbor.”

In the resolution, passed by 501 votes to 119 with 31 abstentions, the members of the EP (MEPs) voiced concerns regarding:

• The U.S. surveillance authorities’ access to data of European individuals transferred under the Privacy Shield.
• The remaining possibility for the bulk collection of data, which they argue would not meet the principle of necessity and proportionality, as enshrined in the European Union (EU) Charter of Fundamental Rights.
• The proposed U.S. ombudsperson, which – in the view of the MEPs – is neither “sufficiently independent,” nor “vested with adequate powers to effectively exercise and enforce its duty.”
• The complexity of the last resort binding arbitration mechanism which they believe should be much more “user friendly and effective.”

This is in line with the concerns previously raised by the Article 29 Working Party (WP29) in its opinion on the Privacy Shield which was published in April, accompanied by an assessment of the U.S. surveillance activities. Although the statements of both institutions are non-binding for the Commission, both are highly influential. That influence comes to bear at a time when the partly binding Article 31 Working Party opinion on Privacy Shield is still pending after having been postponed to the end of June.

Meanwhile, the Irish data protection authority (DPA) on May 24 announced that it intends to refer a case complaining of Facebook’s use of the EU Model Clauses data transfer mechanism to the Irish High court for referral to the European Court of Justice (ECJ) – the same court which invalidated the “Safe Harbor” regime. The complaint alleges that the use of EU Model Clauses as a replacement for Safe Harbor does not alleviate the underlying issue of alleged U.S. government mass surveillance.

If the ECJ finds the EU Model Clauses to be invalid, it would take away one of the only remaining valid EU-U.S. data transfer mechanisms that companies currently use to legitimize their cross-border data transfers from Europe, which are essential to many multinational businesses.

Crowell & Moring will continue to monitor these issues and provide updates. All of our prior Privacy Law Alerts, including several on Privacy Shield and the other EU-U.S. transfer mechanisms are available here.