Documents considered by the Committee on 30 January 2019 Contents

11EU-US commercial data transfers: second review of Privacy Shield

Committee’s assessment

Legally and politically important

Committee’s decision

Cleared from scrutiny; further information requested; drawn to the attention of the Exiting the EU Committee, the Science and Technology Committee, the Home Affairs Committee and the Digital, Culture, Media and Sport Committee

Document details

Report from the Commission to the European Parliament and the Council on the second annual review of the functioning of the EU-US Privacy Shield

Legal base

Department

Digital, Culture, Media and Sport

Document Number

(40304), 15836/18 + ADD 1, COM(18) 860

Summary and Committee’s conclusions

11.1The ability to continue to share commercial data with the EU after Brexit will be crucial to the UK’s future trading relationship with the EU. Personal data can only be shared by data processors and controllers in the EU with third countries who provide equivalent levels of data protection. This is usually established by a Commission implementing act called an “adequacy decision”. The necessary implementing powers for the Commission are provided by the EU parent legislation, the General Data Protection Regulation.163 It is also a matter of concern that after Brexit the UK can share data with countries who already have an EU adequacy decision.

11.2On 12 February 2016, the EU and US came to political agreement on a framework for EU-US personal data transfers for commercial purposes, known as Privacy Shield. On 12 July, the Commission adopted a partial adequacy decision which approved that framework as providing an adequate level of protection for transfers of EU data to the US. This followed the invalidation of the previous adequacy decision, relating to the Safe Harbor framework in the Schrems164 case for incompatibility with the DPD and Articles 7 and 8 of the Charter of Fundamental Rights (right to a private and family life and right to protection of personal data).

11.3The proposed Commission Implementing Decision for the approval of the Privacy Shield was itself deposited at the request of the previous Committee who scrutinised it closely. A summary of the content of Privacy Shield is provided at paragraphs 6.12–6.14 of our Report of 29 November 2017.165

11.4It is a requirement of the Privacy Shield adequacy decision itself that it must be annually reviewed by the Commission.166 The first annual review was published on 18 October 2017. The report overall showed that Privacy Shield continued to ensure an adequate level of data protection for personal data transfers for commercial purposes from the EU to the participating companies in the US. But the following recommendations were made:

11.5The current document is the second annual review of the Privacy Shield decision. The corresponding report was published on 19 December 2018. It followed discussions which took place in mid-October 2018, between Commission officials and representatives of all relevant US government departments. These included the Federal Trade Commission (FTC), the Office of the Director of National Intelligence, the Department of Justice and the State Department. The two sides’ representatives considered a study on automated decision-making commissioned by the Commission as well as on input from stakeholders, including companies and privacy NGOs. Representatives of the EU’s DPAs also participated in the review.

11.6Overall, the second review concludes that the US continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield Framework from the EU to participating companies in the US. Steps taken by US authorities to implement the recommendations made by the Commission in last year’s report had improved the functioning of the framework, though the Commission does expect them to nominate a permanent Ombudsman by 28 February 2019.167 The Commission considers that the Ombudsman is an important mechanism that ensures complaints concerning access to personal data by US authorities are addressed.

11.7In addition, the report notes that:

11.8The report also concludes that the steps taken to implement the Commission’s recommendations following the first annual review have improved several aspects of the practical functioning of the framework. However, some of these steps have been taken only recently and the relevant processes are still ongoing and need to be closely monitored. Apart from those already mentioned, these include:

11.9The Minister for Digital and the Creative Industries (Margot James MP) in her Explanatory Memorandum168 welcomes the outcome of the second joint annual review and the continuation of the EU-US Privacy Shield framework. She adds that the Government considers that Privacy Shield decision continues to provide the most efficient way of transferring data between the EU and the US and is essential for UK businesses.

11.10Turning to Brexit, the Minister notes that the US Government has recently published guidance169 as to how personal data can continue to be exchanged between the UK and US under Privacy Shield Framework:

11.11On the next steps the Minister says:

The Commission’s report will be sent to the European Parliament, the Council, the European Data Protection Board and to the US authorities. The European Commission expects the US Government to identify a nominee to fill the Ombudsperson position on a permanent basis by 28 February 2019 at the latest. If this does not happen by that date, the Commission will consider taking appropriate measures, in accordance with the General Data Protection Regulation.

Our conclusions

11.12We thank the Minister for her Explanatory Memorandum.

11.13This report is important, not only as a review of an adequacy decision to enable data sharing between the EU and a significant third country but because of its relevance to Brexit. It is a reminder of what the UK will need to do to secure and maintain an adequacy decision. We note, for example, that the Commission has warned the US authorities that appropriate measures will be taken under the General Data Protection Regulation if an Ombudsman is not appointed by 28 February. We ask the Minister to confirm that one of these possible measures could be the revocation by the Commission of the Privacy Shield adequacy decision.

11.14It is reassuring that the US Government has provided an indication of how UK-US transatlantic data flows will continue after 29 March 2019. In summary, we note that this guidance indicates that from a US perspective:

We ask the Government what guidance other countries with EU adequacy decisions have issued as to how they will share data with the UK after Brexit.

11.15Related to this question above, we note that the Commission has now adopted a data adequacy decision for the exchange of EU data with Japan.170 We ask the Government for clarification of the meaning of this extract from the Commission’s FAQs on the decision and what implications it has, if any, for a future EU-UK data adequacy decision:

For the first time, the EU and a third country agreed on a reciprocal recognition of the adequate level of protection. European companies will thus benefit from unhindered data transfers from and to Japan as well as from privileged access to its 127 million consumers’ market. In this way, these adequacy findings will complement and enhance the benefits of the Economic Partnership Agreement which will become effective as of 1 February 2019.

11.16We further note that the European Data Protection Board171 (EDPB) have just published their own report172 on the second review of the Privacy Shield adequacy decision. The relevant press release says that concerns remain since the first review of the EDPB:

[These include] concerns already expressed by the EDPB’s predecessor WP29 on the lack of concrete assurances that indiscriminate collection and access of personal data for national security purposes are excluded. Also, based on the information provided so far, the EDPB cannot currently consider that the Ombudsperson is vested with sufficient powers to remedy non-compliance. In addition, the Board points out that checks regarding compliance with the substance of the Privacy Shield’s principles are not sufficiently strong. Moreover, the EDPB has some additional concerns with regard to the necessary checks to comply with the onward transfer requirements, the scope of meaning of HR Data and the recertification process, as well as to a list of remaining issues raised after the first joint review which are still pending.

Does the Government consider that any of EDPB’s, particularly in relation to data processing for national security purposes, could pose a problem for an EU-UK adequacy decision?

11.17We would be grateful for an update on any of the legal challenges to Privacy Shield which have been made or any preliminary reference questioning how it is to apply. We are aware of Digital Rights Ireland (Case T-670/16 ), La Quadrature du Net and Others v Commission, Case (T-738/16) and Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (C-311/18). As part of an update, it would be helpful if the Government could confirm in which of the legal challenges the UK has intervened and whether the General Court has ruled the Digital Rights Ireland challenge to be inadmissible due to the standing of the body bringing the challenge.

11.18We have already asked the Government extensive questions during our scrutiny of a range of data-related EU documents about how the UK will share data with the EU after Brexit, particularly in the event of “no deal”. We thank the Government for their response of 24 January to our letter of 14 November which we have just received, together with a detailed annex. This provides outstanding responses to questions in our Report of 12 September which framed a following debate in European Standing Committee B on 23 October. The debate was based on two EU documents: the Commission’s Communication173 on Exchanging and Protecting Data in a Globalised World and EU proposal for provisions on cross-border data flows and protection of personal data and privacy.174 We shall be exploring those responses in a further Report chapter in due course.

11.19On that basis, we do not seek to rehearse that ground in this Report. Instead we simply draw to the House’s attention again the issue of how the UK will share data with the EU, particularly in the context of “no deal”. In the light of all that extensive prior scrutiny, we are content to clear this non-legislative document. But we draw it and our chapter to the attention of the Exiting the EU Committee, the Science and Technology Committee, the Home Affairs Committee and the Digital, Culture, Media and Sport Committee.

Full details of the documents

Report from the Commission to the European Parliament and the Council on the second annual review of the functioning of the EU-US Privacy Shield: (40304), 15836/18 + ADD 1, COM(18) 860.

Previous Committee Reports

None; but see (39148), 13524/17: Fourteenth Report, HC 301–xiv (2017–19), chapter 12 (21 February 2018) and Third Report HC 301–iii (2017–19), chapter 6 (29 November 2017); see also (38493), 5191/17: (Thirty-eighth Report, HC 301–xxxvii (2017–19), chapter 1 (12 September 2018).


163 Article 45(3) of Regulation 2016/679 states that the implementing act shall be adopted in accordance with the examination procedure referred to in Article 93(2) of the Regulation.

164 Maximillian Schrems v Data Protection Commissioner, C-362/14.

165 Third Report HC 301–iii (2017–19), chapter 6 (29 November 2017).

166 This is because Article 45(3) of the GDPR states that “the implementing act”[constituting the adequacy decision] “shall provide for a mechanism for a periodic review, at least every four years, which shall take into account all relevant developments in the third country or international organisation”.

167 The failure to make a permanent appointment was due to a corresponding failure to appoint an Under-Secretary in the State Department which is responsible for the Ombudsman function.

168 Date 18 January 2019.

169 The link is to the Brexit FAQs page on the US Government’s Privacy Shield Framework website: https//privacyshield.gov/welcome.

172 EU—U.S. Privacy Shield—Second Annual Joint Review, adopted on 22 January 2019

173 (38493), 5191/17, COM (2017) 7 final.

174 (40020),—.




Published: 5 February 2019