Documents considered by the Committee on 29 November 2017 Contents

6EU-US commercial data transfers: review of Privacy Shield

Committee’s assessment

Legally and politically important

Committee’s decision

Not cleared from scrutiny; further information requested; drawn to the attention of the Digital, Culture, Media and Sport Committee, the Exiting the EU Committee and the Science and Technology Committee

Document details

Report from the Commission to the European Parliament and the Council on the first Annual Review of the functioning of the EU-US Privacy Shield

Legal base


Digital, Culture, Media and Sport

Document Number

(39148), 13524/17 +ADD 1, COM(17) 611

Summary and Committee’s conclusions

6.1The ability to continue to share commercial data with the EU after Brexit will be crucial to the UK’s future trading relationship with the EU. It may also be a concern during any transition or implementation period. Personal data can only be shared by data processors and controllers in the EU with third countries who provide equivalent levels of data protection. This is usually established by a Commission implementing decision104 called an “adequacy decision”. The necessary implementing powers for the Commission are provided by the EU parent legislation, currently the Data Protection Directive 95/46/EC105 (the DPD).

6.2On 12 February 2016, the EU and US came to political agreement on a framework for EU-US personal data transfers for commercial purposes. On 12 July, the Commission adopted a partial adequacy decision106 which approved the Privacy Shield. Further details of the framework and adequacy decision are provided at paragraphs 6.12–6.14 below.

6.3The proposed Commission Implementing Decision for the approval of the Privacy Shield was itself deposited at the request of the previous Committee who scrutinised it closely,107 mindful of how the process could be relevant to the UK in the event of a Referendum vote to leave the EU.

6.4The current document is the first annual review of the Privacy Shield. Published on 18 October, it follows discussions on 18 and 19 September between officials from the US government, the Commission and EU data protection authorities (DPAs). The review itself serves as a means for the Commission to evaluate its finding that the Privacy Shield “ensures an adequate level of protection” for personal data transferred from the EU to the US. On the whole, the Report shows that the Privacy Shield continues to ensure an adequate level of data protection for personal data transfers for commercial purposes from the EU to the 2,400 participating companies in the US. Further details of the review are summarised at paragraphs 0.15–0.19.

6.5The Minster for Digital at the Department for Digital, Culture, Media and Sport (Matt Hancock) tells us now that the UK was a firm supporter of the Privacy Shield agreement being finalised and viewed it as a major step forward for restoring certainty and a stable legal footing for transatlantic data flows. It also says that the EU-US Privacy Shield is essential to UK businesses, who would find other mechanisms for transfer more complicated and expensive.

6.6We thank the Minister for his Explanatory Memorandum.

6.7We understand that this report is important in itself as a review of an adequacy decision to enable data sharing between the EU and a significant third country, the US. But it is also significant because of its relevance to Brexit. We are disappointed then that the Minister does not mention any Brexit implications, except to say that the UK will be discussing with the US how to share data with it after Brexit.

6.8We acknowledge that the previous Committee has asked the Minister questions about how the UK will share data with the EU after Brexit, not least during scrutiny of the Commission’s Communication on Exchanging and Protecting Data in a Globalised World. We have ourselves raised questions in correspondence108 concerning the Government’s Future Partnership paper “The exchange and protection of personal data”,109 which the Government helpfully sent to us. We will be interested in the Government’s response to the latter in due course.

6.9We do not duplicate those questions here. Instead, we focus on the Minister’s comment about exploring how to share data with the US after Brexit. We would be grateful for the Minister’s views more broadly on this third country issue and how the UK will continue to exchange data with the EU and with third countries who have an adequacy decision with the EU:

a)during any transitional/implementation period, as suggested by the Prime Minister in Florence; and

b)after Brexit.

6.10We are also interested in the legal longevity of the EU-US Privacy Shield, in the light of current legal challenges, Digital Rights Ireland110 and La Quadrature du Net.111 Does the Minister have any further information about the progress of these challenges? What is the UK’s position in relation to them, including the possibility of any intervention?

6.11In the meantime, we retain the document under scrutiny and draw this document and chapter to the attention of the Exiting the EU Committee, the Digital, Culture, Media and Sport and the Science and Technology Committees.

Full details of the documents:

Report from the Commission to the European Parliament and the Council on the first Annual Review of the functioning of the EU-US Privacy Shield: (39148), 13524/17+ADD 1, COM (17) 611.

Background to Privacy Shield

6.12Privacy Shield is designed primarily to address those aspects of the preceding Safe Harbor framework which the Court of Justice (CJEU) found to be incompatible with the DPD, the Treaties and the Charter in the judgment in Schrems.112 It imposes more specific and exacting measures on US companies that want to join the framework. It also has additional mechanisms designed to make sure that the privacy rights of individuals in EU Member States can be exercised when their data is being processed in the US. US companies self-certify annually with the US Department of Commerce that they meet the Privacy Shield requirements.

6.13Annexes to the adequacy decision include:

6.14To reflect the requirements in Article 25 and 26 of the DPD as interpreted in Schrems to keep the framework under review, the new framework provided for an annual joint review of the Privacy Shield.113

Summary of the review outcomes

6.15The Commission reports that the Privacy Shield provides for more regular and rigorous monitoring by the Department of Commerce (DoC) and significantly strengthens the possibilities for EU individuals to obtain redress. It highlights the additional redress avenues for EU individuals put into place by US authorities.

6.16Significantly, it points to the relevant safeguards adopted by the national security agencies in limiting their access to personal data. This is namely through the Presidential Policy Directive 28 (PPD-28) which applies to the personal data of all individuals regardless of nationality. This links to the last recommendation listed in paragraph 6.19 below.

6.17The Commission views the certification process as being handled in a satisfactory manner with over 2,400 companies so far having participated in it. The Commission further notes the increased cooperation between the European Data Protection Authorities (DPAs) and their US counterparts including, for example the formation of an informal panel of DPAs that provide binding advice to Privacy Shield companies for unresolved complaints, as well as the creation of standardised complaint and referral forms.

6.18The Commission has highlighted areas in which the practical implementation of the Privacy Shield can be improved and has drawn up a list of ten main recommendations for US authorities. These include that:

6.19Finally, a particularly significant recommendation is that the Commission hopes that Congress will consider enshrining the protections offer by PPD28 with respect to non-US persons in FISA in the context of the reauthorisation of Section 702 of the Foreign Intelligence Surveillance Act (FISA). According to the US House of Representatives website,114 this provision “authorizes the Intelligence Community to target the communications of non-U.S. persons located outside the United States for foreign intelligence purposes. A key anti-terror tool that has helped to thwart numerous terror plots including the 2009 conspiracy to bomb the New York City subway, Section 702 operations are subject to multiple layers of oversight by all three branches of government”.

The Government’s view

6.20In an Explanatory Memorandum of 13 November 2017, the Minister for Digital at the Department for Culture, Media and Sport (Matt Hancock) comments on the policy implications of the document as follows:

“The Government welcomes the outcomes of the first joint annual review of the EU-US Privacy Shield framework and in doing so continues to support it. It provides the most efficient method for transatlantic data transfers, and it is important to UK businesses to ensure that they can continue sending personal data to the US. Adequacy arrangements such as the Privacy Shield are important for the continuity of data flows and in maintaining the confidence of organisations, businesses and governments which all rely on them. There are now over 2400 US companies certified under Privacy Shield to date, including large companies such as Facebook, Amazon and Google. The Privacy Shield also benefits a large number of SMEs—for example, those who use software providers (particularly cloud based) to process financial, tax and contact data and those who access distance learning services.

“The Privacy Shield framework is likely to enable a far greater volume of international data transfers than any other mechanism for transferring data across international borders. Based on measures of global data flows, US-EU flows are by far the largest data flows globally. It is particularly important for SMEs and start-ups and is explicitly advertised as being particularly beneficial for businesses of that size. It is relied on by UK businesses, including SMEs who would find other mechanisms for transfer more complicated and expensive. The UK imports around £15 billion worth of digitally deliverable services from the US, which is 72% of the total services imports from the US.

“The Privacy Shield contains protections only available to those within the EU. The Government will therefore discuss with the US how best to ensure that the current protections afforded to UK citizens can be maintained and how data flows can continue unhindered when the UK leaves the EU.”

Previous Committee Reports

None but see Thirty-fourth Report, HC 71–xxxiii (2016–17), chapter 5 (8 March 2017); Seventeenth Report HC 71–xv (2016–17), chapter 10 (2 November 2016); Eighth Report HC 71–vi (2016–17), chapter 7 (13 July 2016); and Third Report HC 71–ii (2016–17), chapter 3 (25 May 2016).

104 A form of EU tertiary legislation.

105 The Directive is itself an EU secondary legislative measure.

106 C (2016) 4176. Commission Implementing Decision 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield.

107 See the Report listed under “Previous Committee Reports” for (37695) at this end of this Report chapter.

108 Letter from Sir William Cash, Chairman, European Scrutiny Committee to the Minister of Digital (Matt Hancock) at the Department of Culture, Media and Sport dated Monday 13 November 2017.

110 Digital Rights Ireland v Commission, Case T-670/16.

111 La Quadrature du Net and Others v Commission, Case T-738/16.

112 C-362/14 Maximillian Schrems v Data Protection Commissioner, 6 October 2015.

113 The Commission’s Communication on Exchanging and Protecting Data in a Globalised World which remains under scrutiny states that ‘Adequacy decisions are “living” documents that need to be closely monitored by the Commission and adapted in the case of developments affecting the level of protection ensured by the third country in question. To that end, periodic reviews will be held, at least every four years, to address issues and exchange best practices between close partners. Article 45(3) GDPR contains the review requirements in that new Regulation’.

1 December 2017