European Parliament heads for showdown with US over Privacy Shield

By Kevin Cahill

The Justice Committee of the European Parliament has set the scene for a major showdown with the US over data transfers between the EU and the US by setting a Sept 1st deadline for the US to get in compliance with EU law.

At issue is the Privacy Shield non-legal, non-binding replacement for ‘Safe Harbour”, a failed agreement between the EU and the US struck down by the European Court of Justice in October 2015.

Privacy Shield, activated in July 2016 by the Commission, provides for issues between EU users and US corporations to be settled in the US, by an ombudsman appointed by the US Department of Commerce. The Ombudsman’s appointment has not been ratified by the US and the agreement itself has not been ratified by the US Congress or government.

In a motion that now goes to the full European Parliament in July the Committee Chair, London based Labour MEP Claude Moraes notes that the Article 29 Group of EU Regulators had failed to meet a May 25th (2018) deadline to solve outstanding issues with the US and the committee supported his call for the Regulators to consider sending the matter back to the European Court of Justice if nothing had happened by 1st September.

The Committee did note the fact that the Irish High Court’s Judge Caroline Costello has already referred Privacy Shield to the European Court on May 2nd 2018, as one of her 11 questions arising from the failed implementation of the Court’s judgment and the earlier finding of fact by the Irish High Court that the US was engaged in “mass and indiscriminate surveillance” throughout the EU via its PRISM programme.

The Justice Committee raised a string of concerns about Privacy Shield including whether the idea of a US ombudsman was compatible with the rights of EU citizens but avoided the hot potato of PRISM, the actual surveillance programme that was the target of the original European court findings of unlawful and in the UK criminal, mass surveillance.

However, the Committee put the US on clear notice of how serious the situation is by warning that the reauthorisation of section 702 of the US Foreign Surveillance Act (FISA) places in question the legality of Privacy Shield. Under the FISA the US considers itself to have the legal right to impose mass and selective surveillance on all foreign citizens, in their home countries, irrespective of local laws.

The motion in the Justice Committee was passed by a narrow majority of 29 to 25 with 3 abstentions, a foretaste of the likely battle in the full Parliament. In Brussels the US internet giants are mounting a massive lobbying campaign to persuade the European Parliamentarians to ignore local concerns and let the US carry on mass and selective surveillance in the EU.

The Committee placed considerable reliance on negotiations between the Article 29 Working Party of Regulators and the US authorities, overlooking the fact that the Article 29 Working party is just that, and may not have any legal authority to negotiate a settlement. Questions about the legal status of the Art 29 Working party put to the European Justice Commissioner Vera Jourova by Computer Weekly over several weeks have not been answered.