lazyllama - Fotolia

US and UK days away from European Parliament ultimatum to suspend data transfers to the US

Threat to Privacy Shield as the European Union and US approach a critical European Parliament deadline to suspend data transfers from the EU to the US

The US and the UK are days away from the expiry of a European Parliament ultimatum that requires the European Commission (EC) to suspend all transfers of data to the US. The ultimatum expires on 1 September 2018.

The huge European Parliament motion, with more than 50 clauses and sub clauses, was put to the Parliament by Claude Moraes, the London-based Labour member of European Parliament (MEP), following his success in having a preparatory motion passed by the European Parliament Justice Committee, which he chairs.

“The resolution makes clear that Privacy Shield in its current form does not provide the adequate level of protection required by data protection law and the EU Charter,” said Moraes at the time.

“Progress has been made to improve on the Safe Harbour agreement, but this is insufficient to ensure the legal certainty required for the transfer of personal data. The law is clear and, as set out in the GDPR [General Data Protection Regulation], if agreement is not adequate and if the US authorities fail to comply with its terms, then it must be suspended until they do.”

Irrespective of the Parliament motion, the Safe Harbour agreement is under legal threat in both the Irish High Court and at the European Court of Justice.

In April this year, Judge Caroline Costello of the Irish High Court referred “Safe Harbour” to the European Court of Justice for examination as to its compliance with EU law.

Her referral has been “intercepted” in mid flight by the Irish Supreme Court, which granted Facebook an appeal against Costello’s review request at the end of July. That appeal is likely to be heard in December and raises issue concerning “Privacy Shield”.

A spokesperson for the European Court of Justice said it was within the competence of the Irish Supreme Court to allow such an appeal and to change or even expunge Judge Costello’s questions, but added that the judgements of the European Court itself were not subject to appeal.

In its opening sentence, the European Parliament motion referred to the key European Court judgement of Schrems versus the Irish Data Protection Commissioner, which stands and is not subject to appeal.

That judgement accepted an earlier Irish High Court finding that the US was engaged in mass and indiscriminate surveillance.

Far from having halted the underlying surveillance, the US Commerce Department assured justice commissioner Věra Jourová’s delegation to the US in Sept 2017 that it would continue surveillance in Europe.

In her letter to this publication, Jourová’s legal director general Tiina Astola said the US would continue to use Prism – now renamed Downstream – and Upstream searches (in Europe) based on Section 702 of the US Foreign Intelligence and Surveillance Act.

This act, which has no legal authority in Europe, will be used to carry out “searches in a targeted manner through the use of individual selectors”, according to the Commerce Department. This would be both unlawful and – in many EU states, including the UK – it would be criminal.

The US Department of Commerce, responsible for the complaints process in Privacy Shield, has made no new public submissions to the European Parliament or EC.

The most serious clauses in the long motion are the following:

  1. Calls on the European Commission to take all the necessary measures to ensure that the Privacy Shield will fully comply with Regulation (EU) 2016/679 – which gives EU citizens rights over the processing of their data – to be applied as from 25 May 2018, and with the EU Charter, so that adequacy should not lead to loopholes or competitive advantage for US companies;
  2. Deplores that the European Commission and the competent US authorities did not restart discussions on the Privacy Shield arrangement and did not set up any action plan to address as soon as possible the deficiencies identified, as called for by the WP29 – an ad hoc gathering of EU data regulators – in its December report on the joint review; calls on the EC and the competent US authorities to do so without any further delay;
  3. Recalls that privacy and data protection are legally enforceable, fundamental rights enshrined in the Treaties, the EU Charter and the European Convention of Human Rights, as well as in laws and case law; emphasises that they must be applied in a manner that does not unnecessarily hamper trade or international relations, but cannot be “balanced” against commercial or political interests;
  4. Takes the view that the current Privacy Shield arrangement does not provide the adequate level of protection required by Union data protection law and the EU Charter as interpreted by the CJEU;
  5. Considers that, unless the US is fully compliant by 1 September 2018, the EC has failed to act in accordance with Article 45(5) GDPR – which requires the European Commission to certify that the US is compliant with GDPR – calls therefore on the EC to suspend the Privacy Shield until the US authorities comply with its terms.

However, it is the court action in Dublin which poses the greatest threat to the nine US internet companies identified in the original Irish High Court findings and endorsed by the European Court of Justice on 6 October 2015.

Clause 33 points towards the reality. Privacy rights are enforceable in law, and compensation must be paid to victims. So far, Max Schrems has waited 8 years to have his privacy rights upheld, at a cost of more than 200,000 to him.

Once enforcement of the compensation clauses starts, nothing the European Parliament, the European Commission or the internet companies do can stop the law on the ground, in the member states, becoming effective.

Read more about EU-US Privacy Shield

  • MEPs call for European Commission to reassess Privacy Shield.
  • Ireland faces legal challenge over the independence of its data commissioner, in the wake of the scrap- ping of the Safe Harbour data protection agreement.
  • Dublin court case on the legality of Facebook’s data transfers to the US raises issues that affect US national security, claims US Department of Justice.
  • User demand for locally hosted cloud services prompts cloud firms and infrastructure providers to rapidly take up datacentre space in Europe, CBRE research shows.

Read more on Privacy and data protection

Data Center
Data Management