By now you've probably heard the news that Privacy Shield is under fire yet again. This is now part three of what I predict will be on ongoing series of blogs as each crisis emerges (to whit, see here and here). As with previous editions, there is no need to panic (at the moment/but vigilance is recommended).
The latest drama has come from the European Parliament's vote on 5 July calling on the European Commission to suspend Privacy Shield if specific requirements aren't met by 1 September. Here in the States (where I'm based), knowledge of the complex web of European institutions is understandably basic, so headlines such as 'European Parliament declares Privacy Shield invalid' causes (panic/havoc) amongst certain certified companies. I'm sure similar drama occurred on the eastern side of the pond (that EU module at university some time ago for many!) So let's be clear: the European Parliament does not have the power to declare Privacy Shield invalid. The Parliament's vote was non-binding and holds no official weight. The European Commission is the only body with the power to make adequacy decisions; not the European Parliament, not the now defunct Article 29 Working Party (WP29) and not its successor the European Data Protection Board (EDPB).
Under GDPR the Commission is given powers to review adequacy decisions on a regular basis. Part of the sweetener to get Privacy Shield passed was to build in such a review annually (the second of which is due to commence shortly).
The only other route by which Privacy Shield can be declared invalid is via legal challenge to the Court of Justice of the European Union (CJEU). This was the method that brought down Safe Harbor, thanks to a certain Mr Schrems. This is no overnight process and would take a formal challenge in national courts and then escalation through legal due process.
Not only was the Parliament's vote nonbinding but official messages from both the Commission and EDPB have indicated they will not be taking action following the Parliament's vote. Christopher Wigand, spokesperson for the Commission, stated suspension was not currently being considered in an interview with Bloomberg. Andrea Jeleneck, chair of the EDPB, stated Privacy Shield improves data transfers between the EU and US and stated concerns remain for the annual review.
Given that the second annual process will be underway by 1 September it seems unlikely the Commission or EDPB will take action before then. The Commission tends to take a more pragmatic approach, aware of the significance a finding of inadequacy would have.
That is not to say that the resolution can be complacently ignored. The fact is the Parliament is the only democratic institution in the EU, and sees itself as the protector of citizens' rights. A similar motion was passed about Safe Harbor prior to its demise at the hands of the CJEU.
More dangerous are the current challenges in the CJEU. The Irish High Court referred 11 questions to the CJEU in Schrems II, as his challenge to Model Clauses is commonly known. It chose to add three questions on the validity of Privacy Shield. The Luxembourg justices will view issues without considering political fallout and economic turmoil as the Commission would, although thankfully for Privacy Shield companies the wheels of justice there grind slowly.
Signifying how important transatlantic data flows are, US firms are pushing for action stateside to assuage European fears. The Reform Government Surveillance Coalition, which includes all tech majors (Google, Facebook, Apple, Microsoft, LinkedIn, Twitter etc), recently urged congress to confirm the nominations for two spots on the Privacy and Civil Liberties Oversight Board (PCLOB) and pressed Trump to make a nomination for the remaining empty chair.
Elephant-memoried readers will recall that the WP29 in its review of Privacy Shield had good things to say about the PCLOB and the potential role it could play protecting individual's rights, but lamented the fact that in reality only one member had been appointed. Indeed, filling out the board was one of the WP29's demands in its own opinion on Privacy Shield last year, for which it threatened legal action if not fulfilled by 25 May AT THE LATEST (it didn't).
Eagle-eyed readers will have seen that the delay in appointing the PCLOB members formed part of the resolution on which the Parliament just voted. They also criticised the fact that the PCLOB didn't prepare a report in the President's reauthorisation of section 702 of the Foreign Intelligence Surveillance Act. It can't help that under Trump the number of surveillance actions that have been authorsed has tripled.
Of course no one is sure how the current administration will react to any pressure. Given the ongoing Russian saga and potential deal with North Korea a data transfer framework may not be top in the president's inbox.
I therefore repeat my conclusion from last time: don't panic, this latest story doesn't spell the end of Privacy Shield, but it does build a case that, with Model Clauses also under fire, it may be time to ensure you're not reliant on a single data transfer mechanism, Keep abreast of this story as it develops and watch this space!