On 5 July 2018, the European Parliament demanded in a resolution that the European Commission suspends its EU-U.S. Privacy Shield unless the U.S. administration introduces adequate data protection safeguards by 1 September 2018. The Privacy Shield agreement is aimed at facilitating data transfers of EU personal data to the United States. The non-binding resolution was passed 303 to 223 votes, with 29 abstentions, and calls on the European Commission to suspend the data-sharing deal unless the United States is fully compliant by September 1.

Issue

The European Parliament admonishes the United States for failing to ensure effective ‘adequate protection’ of the transfer of EU personal data to the United States.

The European Parliament critiques that the U.S. administration has been slow to meet requirements set forth by the General Data Protection Regulation (GDPR), which specifies that special data sharing arrangements with countries outside the EU can only remain in place if those countries have independent authorities that properly oversee how Europeans’ data is handled once it moves abroad. The United States has failed to appoint members to the U.S. Privacy Civil Liberties Oversight Board (PCLOB), or to appoint a permanent Ombudsman to chair the PCLOB.

Concerns and benefits

A major concern for the EU is that companies transferring personal data to the United States could be obliged to provide it to U.S. governmental bodies, such as national security agencies, without transparency, accountability or clarity about how the data is used. Because of similar concerns, the European Court of Justice previously invalidated the Privacy Shield’s predecessor, the U.S.-EU Safe Harbour framework, in October 2015.

The European Commission published a first annual review of Privacy Shield in October 2017, issuing 10 recommendations to improve the implementation of the program and finding that its redress mechanisms hadn’t been tested in practice. In principle, the European Commission could suspend or cancel the Privacy Shield if it finds in the second review of the framework later this year that privacy shortcomings persist or its recommendations from the first review haven’t been implemented.

Legal effects

The approved resolution does not suspend the Privacy Shield itself, nor will it affect other alternative legal mechanisms for transfer such as binding corporate rules (BCRs) (Article 47 GDPR), standard data protection clauses adopted by the European Commission (Article 93(2) GDPR) or standard data protection clauses adopted by a supervisory authority and approved by the European Commission. Though the resolution will not annul the Privacy Shield, it is the European Parliament’s official position on it. The European Commission is required to consider the position when reviewing the Privacy Shield later this year as part of its annual review. The annual review evaluates the effectiveness of the Privacy Shield in ensuring ‘adequate protection’ of EU citizens’ personal data when transferring such data to the United States.

Comment

The Privacy Shield framework forces companies to think carefully about data protection compliance and to conduct due diligence prior to certification. The European Commission scrutiny of the program has intensified under the new GDPR framework and its increased obligations applicable to data processors and controllers. Although the resolution does not suspend the Privacy Shield, it reflects continued serious concerns by European regulators about Privacy Shield.