Posted by Mei-Ling Huang, Partner
EU-US Privacy Shield under pressure as Civil Liberties Committee MEPs vote for suspension
The EU-US Privacy Shield framework was designed to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when the personal data of EU citizens is transferred to the US.
The Privacy Shield is the successor to the 2000 Safe Harbour framework which collapsed after it was invalidated by an EU Court of Justice ruling in 2015 for not protecting the data of EU citizens. The EU Commission’s response was to negotiate the Privacy Shield agreement, which was adopted in July 2016, to ensure adequate protection of personal data transferred to and stored by companies in the US. At the time the agreement was signed it was acknowledged that there were a number of issues that would need to be ironed out once it was in place, but it would appear that those issues still remain two years down the line.
Civil Liberties Committee calls on the Commission to suspend the Privacy Shield
Since 2016, over 3,000 companies have signed up to the Privacy Shield list to enable the transfer of personal data across the Atlantic; among those companies were Facebook and Cambridge Analytica. Following the scandal between those two companies which dominated the news earlier this year, MEPs in the European Parliament’s Civil Liberties Committee have voted this month to suspend the Privacy Shield.
The MEPs have taken the view that the current Privacy Shield agreement ‘does not provide the adequate level of protection required by Union data protection law and the EU Charter as interpreted by the European Court of Justice’ and identified several areas in which commitments have not been met under the agreement, including:
- Not ratifying the appointment of three members of the Privacy and Civil Liberties Oversight Board;
- The lack of a Privacy Shield Ombudsperson (another oversight mechanism) which prevents effective redress for citizens of the EU; and
- Companies being allowed to claim they have certification under the Privacy Shield before being added to the official list by the Department of Commerce.
The MEPs also raised concerns that data may be used to manipulate political opinion or voting behaviour and that such breaches would amount to a threat to democratic process, and that the new Clarifying Lawful Overseas Use of Data (CLOUD) Act, which allows the US and foreign police to share personal data across borders, could conflict with EU data protection laws.
In a time when our fundamental right to data protection is more important than ever, and relations between the US and the EU are already somewhat strained over other issues such as Russia and NATO, the prospect of another data transferring agreement collapsing places significant pressure on both sides. It could also mean bad news for businesses both in the EU and beyond that have built their GDPR compliance strategy on adherence to the Privacy Shield principles.
However, the General Data Protection Regulation (which came into force on 25 May 2018) states that special data sharing arrangements with countries outside the EU can only remain in place if those countries have independent authorities overseeing how European citizens’ data is handled once it is transferred to those countries. As such, although the vote is non-binding, it will be hard for the Commission to dismiss the criticisms that have been raised if they are not dealt with by the review date of September 2018.
The MEPs have just begun a trip to Washington to discuss the Privacy Shield and other data protection issues (such as the Facebook / Cambridge Analytica scandal and cyber security in general) with the US government so we will see whether the US addresses the criticisms by September.
In the meantime, if you have concerns over your GDPR compliance in light of a possible suspension of the Privacy Shield, please do not hesitate to contact our Privacy and Data Protection experts.
If you have any enquiries regarding the EU-US Privacy Shield or data protection please contact Lucy Nash on:
01865 268 685 Email us
Minimise the impact with our dispute resolution solicitors