European Parliament calls for suspension of Privacy Shield
Is the EU-US Privacy Shield in danger?
On 5 July 2018 the European Parliament issued a non-binding resolution calling for the European Commission to suspend the EU-US Privacy Shield if the US did not meet its requirements by 1 September 2018. The European Parliament was reacting to concerns that the Privacy Shield had not been implemented as agreed.
The Privacy Shield acts as a framework between the US and the EU to provide companies from both regions with a mechanism to meet data protection requirements when transferring personal data to the US.
In July 2016 the Commission declared the Privacy Shield provided an adequate level of data protection. Similarly in October 2017 an annual review of the Privacy Shield found that it worked well, yet there was room for improvement.
However, the European Parliament stated in the July resolution that "a number of concerns remain regarding both the commercial aspects and the access by US public authorities to data transferred from the EU … [including] the lack of concrete assurances of not conducting mass and indiscriminate collection of personal data (bulk collection)."
The concerns can be summarised into four main areas:
- President Trump's 2017 Executive Order excluded non-US citizens from the protections of the USA Privacy Act;
- the Facebook-Cambridge Analytica data breach highlighted the lack of sufficient monitoring of the Privacy Shield in terms of data breach prevention;
- the US Act (US CLOUD Act) allows US national security and law enforcement agencies to access personal data across borders. The Safe Harbour Framework (the predecessor to the Privacy Shield), was struck down by the Court of Justice in 2015 due to similar concerns; and
- the European Data Protection Board raised concerns about the commercial aspects of the Privacy Shield and problems regarding the bulk collection of personal data by US authorities.
Why is this important?
While the resolution from the European Parliament is not binding, and the Privacy Shield remains in place for now, it does send a strong political message. The Commission will have to conduct a second review which is currently scheduled for October 2018. After which, if the Commission deems that the Privacy Shield does not adequately protect EU citizens' personal data, they have the power to cancel, suspend or amend the Privacy Shield. The situation is exacerbated by the current case for the invalidation of the Privacy Shield (initiated by Max Schrems) currently pending before the CJEU.
Any practical tips?
Developments will need to be monitored carefully for any organisation relying on data flowing freely between the EU and the US. Alternatives to the Privacy Shield should be investigated to ensure legitimate US transfers, which include the EU's model contract clauses. But the latter are of course also currently subject to invalidation claims by Mr Schrems. The future of international data transfers is looking far from rosy, and that's without even adding Brexit complications to the mix.