On July 5, 2018, the European Parliament passed a resolution calling for the suspension of the EU-U.S. Privacy Shield (the Privacy Shield) agreement with the United States by September 1, 2018, unless the United States can guarantee through new laws that it is fully compliant with the agreement’s terms.
Among other things, the July 5 resolution specifically identified the data breach(es) associated with Facebook and Cambridge Analytica as a concern, especially because the companies were certified under the Privacy Shield. In addition, the European Parliament voiced concerns that (1) the Clarifying Lawful Overseas Use of Data (CLOUD) Act granted the U.S. government the right to access data that is outside the territorial reach of the United States; and (2) that reauthorization of Section 702 of the Foreign Intelligence Surveillance Act did not include safeguards against certain bulk collection of data practices. As a result of these and other concerns, the European Parliament voted to suspend the Privacy Shield until the U.S. fully complies with its terms.
The July 5 resolution is non-binding and does not result in the suspension of the Privacy Shield—only a decision by the European Commission or the Court of Justice of the European Union can do that. However, the European Commission is required to respond to the European Parliament’s concerns within three months. In addition, the Privacy Shield agreement also provides for an annual review of its adequacy and effectiveness—with the next review set to be conducted in the fall of this year.
TIP: Companies should monitor the upcoming annual review of the Privacy Shield, as well as the status of the ongoing litigation between Maximillian Schrems and Facebook Ireland Limited (Schrems II) to see what changes, if any, are required. They may also want to consider whether they should utilize alternative means of transferring data to the U.S.