EU Lawmakers Urge Privacy Shield Suspension if US Fails to Comply Soon
Trans-Atlantic personal data-sharing agreement Privacy Shield should be suspended if the U.S. fails to meet its commitments by Sept. 1, the European Parliament Civil Liberties Committee said in a resolution approved Monday. By 29-25, lawmakers said the EU-U.S. deal doesn't offer strong enough privacy protections for Europeans, as shown by the Facebook-Cambridge Analytica data breach. Given EU dissatisfaction with the agreement, and the entry into force of the general data protection regulation, there are questions whether the self-certification system is as relevant anymore.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Members of the European Parliament pressed for better monitoring of the agreement, since Facebook and Cambridge Analytica are certified under Privacy Shield. They worried about recent enactment of the U.S. Clarifying Lawful Overseas Use of Data Act, which they said could have serious implications for the EU and conflict with EU data protection laws. An amended document will be available "in some days" and is expected to be voted on at the July plenary session, the committee told us.
It's unclear what impact the GDPR might have on Privacy Shield. European Data Protection Supervisor Giovanni Buttarelli said May 24 the GDPR provides a much higher standard of safeguards than the EU-U.S. deal. "You may say Privacy Shield is still there but is less relevant for me because the entire set of standards, including the transfer, should be subject to higher standards," he said, in reported remarks later confirmed to us. Buttarelli's approach is the same as that of the European Parliament, which pressed the European Commission to take all necessary measures to ensure that Privacy Shield fully complies with the regulation and the EU Charter so the EC decision that U.S. data protections are adequate doesn't "lead to loopholes or competitive advantage for US companies," an EDPS spokesman emailed.
The EU said it doesn't see Privacy Shield and the GDPR as alternative solutions. The trans-Atlantic agreement was built on the GDPR and now has more than 3,000 certified companies after a year and half, which testifies to its success, it said.
Buttarelli's approach seems to be that U.S. companies targeting individuals in the EU "must in any event need to comply with the GDPR ... and therefore do not need the Privacy Shield to be 'imposed' compliance with EU rules," emailed Linklaters (Brussels) data protection attorney Tanguy Van Overstraeten. Being subject to the GDPR as a non-EU company doesn't provide a valid mechanism for transferring personal data to the U.S., he said. Privacy Shield, which is such a mechanism, "still seems very useful," along with other solutions such as standard contractual clauses and binding corporate rules, he said.