The European Parliament has passed a non-binding resolution calling for the European Commission to suspend the EU-US Privacy Shield if the US does not comply with its requirements by 1 September 2018.
The European Parliament acted over concerns that the Privacy Shield hasn't been implemented as promised.
The Privacy Shield is a legal framework agreed between the EU and the US to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data to the US.
The Commission issued an adequacy decision in July 2016 declaring that the Privacy Shield provides an adequate level of data protection. The adequacy decision was followed by the first annual review of the Privacy Shield (completed in October 2017). The review found that the Privacy Shield worked well but that there was room for improving its implementation as its redress mechanisms had not been tested in practice.
Concerns over the Privacy Shield
The European Parliament considers that the Privacy Shield does not provide an adequate level of data protection under EU data protection law because (among other reasons):
- Non-US citizens have been excluded from the protections of the USA Privacy Act (which ensures the protection of personal data) by President Trump's controversial 2017 Executive Order (see our previous article).
- The US has failed to appoint independent supervisory authorities (such as a permanent Ombudsman) to oversee how EU citizens' personal data is handled as required by the GDPR.
- The European Data Protection Board (EDPB) (formerly Article 29 Working Party) has raised concerns about the commercial aspects of the Privacy Shield (such as the lack of specific rules on automated decisions) and issues relating to the bulk collection of personal data by US authorities.
- The European Parliament is concerned about the adoption of a US Act (US CLOUD Act) which allows US national security and law enforcement agencies to access personal data across borders. The Privacy Shield's predecessor, the Safe Harbour Framework, was struck down in 2015 by the Court of Justice of the EU due to similar concerns (i.e. in relation to the mass access to personal data by US national security authorities and the lack of transparency in respect of its treatment).
- There is a lack of sufficient monitoring of the Privacy Shield in terms of data breach prevention, as evidenced by Facebook-Cambridge Analytica data breach. In particular, Facebook did not protect its users (which included 2.7 million EU citizens) by failing to prevent its political consultancy firm, Cambridge Analytica, from misusing their personal data (both companies are certified under the Privacy Shield).
Although the resolution is not binding and does not suspend the Privacy Shield, the Commission will be required to consider the official position of the European Parliament in the course of the second review of the Privacy Shield (scheduled for October 2018). If it finds that the Privacy Shield does not adequately protect EU citizens' personal data, it has the power to amend, suspend or cancel it.
If your organisation relies on data being able to flow freely between the EU and the US, you will need to monitor developments closely. Consider whether you can rely on other mechanisms apart from Privacy Shield to legitimise US transfers, such as model contract clauses or consent, notwithstanding the practical difficulties that such mechanisms may entail.