Yesterday, the European Parliament Committee on Civil Liberties, Justice and Home Affairs (“LIBE Committee”) held a public hearing on the EU-US Privacy Shield, see agenda here and a video of the hearing here. While European Parliament support is not strictly necessary for the approval of the Privacy Shield, it’s view certainly has political weight.
The hearing began with a presentation of views by the EU and U.S. negotiators and European data protection regulators (the chair of the Article 29 Working Party (“WP29”) and the European Data Protection Supervisor (the “EDPS”)). The LIBE committee then heard from private entities, organizations and scholars such as DIGITALEUROPE, Marc Rotenberg (executive director of the Electronic Privacy Information Center (EPIC)), a European consumer association, and Max Schrems, the privacy campaigner.
The EU and U.S. negotiators defended the proposed arrangement. Representatives of the Commission stated that if the Privacy Shield did not receive approval, some elements of the Privacy Shield system could still be applied, such as the Ombudsperson mechanism, clarifications on national security access and limitations on data in transit. Participants also noted that the Privacy Shield will have to fit into the new European data protection framework, the forthcoming General Data Protection Regulation.
WP29 Opinion
The Privacy Shield proposal is currently being reviewed by the WP29, a group made up of a representative from the data protection authority of each EU Member State, the EDPS and the European Commission. The WP29 must provide a non-binding opinion on the Privacy Shield, which is expected on April 12 or 13. At the hearing, the chair of the WP29 identified some aspects of the Privacy Shield which concerned them:
- an absence of rules in the Privacy Shield on data retention; and
- the powers and independence of the new Ombudsperson.
The chair observed that the forthcoming opinion will also have an impact on future WP29 opinions and positions on alternative transfer mechanisms, such as Binding Corporate Rules (BCRs) and model clauses.
The EDPS intends to adopt his own opinion, subsequent to the publication of the WP29 opinion.
Article 31 Committee Meeting
Just a few days before the WP29 is expected to issue its opinion, on April 7, 2016, the Article 31 Committee will meet for the first time to discuss the Privacy Shield. This Committee is made up of representatives of each EU Member State and must provide a binding opinion supporting the Privacy Shield by qualified majority for the Privacy Shield to go ahead. For more details on the approval procedure for the Privacy Shield, please see our alert here.