The flow of data between the United States and the EU may be at risk as tensions are rising around Privacy Shield. If you haven’t been living under a rock for the last two years, you will likely have heard of the GDPR – the EU data protection regulation that now fiercely protects EU citizen data, whether in the hands of a non-EU or EU-based organisation. You may have wondered, then, how companies in places like the US are still able to legally hold and process EU data without falling foul of the GDPR, and the answer is Privacy Shield. Privacy Shield is a framework that allows companies on both sides of the Atlantic to transfer data while complying with the GDPR. However, this may all soon change, with Members of the European Parliament calling for Privacy Shield to be brought up to scratch or invalidated.
Privacy Shield’s predecessor, Safe Harbour, was already invalidated in 2016 after it was ruled to be inadequate by the EU
The flow of data between the US and EU was protected by Safe Harbour until 2016, when it was declared invalid by the Court of Justice of the EU following a legal challenge from privacy activist Max Schrems. Privacy Shield was set up to allow data flow to continue, as US companies could register for it to show compliance with EU data protection standards.
Following the Facebook-Cambridge Analytica data scandal, MEPs said that now there is a need for better monitoring of the agreement, in light of the fact that both companies involved in the scandal are certified under Privacy Shield.
In a close 29 to 25 vote last night, the EU Civil Liberties Committee (LIBE) adopted a motion for a resolution that calls on the Commission to suspend the deal unless the US is compliant by 1 September.
“While progress has been made to improve on the Safe Harbor agreement, the Privacy Shield in its current form does not provide the adequate level of protection required by EU data protection law and the EU Charter,” said Claude Moraes, chair of LIBE. “It is therefore up to the US authorities to effectively follow the terms of the agreement and for the Commission to take measures to ensure that it will fully comply with the [GDPR].”
MEPs have called on the US authorities to act on such revelations without delay and, if needed, to remove companies that have misused personal data from the Privacy Shield list. EU authorities should also investigate such cases and, if appropriate, suspend or ban data transfers under the Privacy Shield, they added.
In just under two years, Privacy Shield already has more than 3,000 certified organizations and is rapidly approaching the number of participating organizations that Safe Harbor gathered in nearly 15 years.
Concerns about Privacy Shield included vacant posts on the Privacy and Civil Liberties Oversight Board (PCLOB), the lack of a permanent ombudsman, the impact of US President Donald Trump’s executive orders on immigration, and attitudes towards security and privacy.