EU won't suspend Privacy Shield following US renewal of Section 702, senior EU aide says

25 January 2018 5:27pm
EU-US Flags

23 January 2018. By Vesela Gladicheva.

Votes by the US Congress vote last week renewing a program that allows intelligence agencies access to the communications of foreigners outside the US won't lead to the suspension of the trans-Atlantic data-transfer agreement Privacy Shield, according to Renate Nikolay, chief of staff of the EU justice commissioner Věra Jourová.

"We have ... a potential suspension clause" in Privacy Shield, but "we are not in a scenario that this will immediately be triggered," Nikolay said at an event* in Brussels today.

Votes in the US Senate and House of Representatives reauthorized the National Security Agency’s warrantless Internet surveillance program for the next six years. The authorization, formally known as Section 702 of the Foreign Intelligence Surveillance Act, was set to expire last week.

The EU, including privacy authorities, had suggested that the clause is one of the concerns that could jeopardize Privacy Shield, which allows more than 2,000 companies to shift commercial data between the EU and the US. Both sides negotiated Privacy Shield to replace an older data-transfer mechanism, which the EU's top court voided in 2015 for failing to safeguard European citizens' privacy rights.


Speaking today, Nikolay said the commission had lobbied Congress and the US administration to use the authorization to expand data protection in the US national security context to cover non-Americans, too.

"We are not totally happy with what we are seeing," Nikolay said at the event, marking the start of a three-day conference that will bring together 1,000 data privacy experts. But "it's better than what could have happened," as talks in Congress also revolved around reducing the level of data protection in the US, she said.

"That would have been a real problem for us, because this is one of the foundations of the Privacy Shield," the official said.

Nikolay said the commission, which is studying the details of the authorization, will continue urging the US to beef up its data-protection regime.

"When we go back to Washington in a couple of weeks' time, we'll bring this back to Congress," she said. "There might be other kinds of debates in Congress on future data-protection aspects, and we will re-launch this idea that we should approximate our approaches to our data protection more."

Court action

During the same event, Nikolay sought to defend the legality of Privacy Shield, in the light of action by several civil-society groups in France to annul the mechanism. The EU's lower-tier General Court has yet to decide whether to admit the case.

Nikolay said Privacy Shield takes into account data-protection rights, business interests and national-security priorities. She said that some EU governments have sought to intervene in the case to defend the framework.

"Access [to personal data] for national-security purposes happens everywhere," she said. "The question is what do you need in terms of oversight and redress mechanism to ensure that it only happens when it's necessary and proportionate."

"That's the test we have to apply," she said. 

* "CPDP 2018 Launch Event," Brussels, Jan. 23, 2018 / "11th International Conference: Computers, Privacy & Data Protection 2018," Brussels, Jan. 24-26, 2018

CCPA Report