EU Lawmakers Urge Privacy Shield Suspension if US Fails to Comply Soon
Trans-Atlantic personal data-sharing agreement Privacy Shield should be suspended if the U.S. fails to meet its commitments by Sept. 1, the European Parliament Civil Liberties Committee said in a resolution approved Monday. By 29-25, lawmakers said the EU-U.S. deal doesn't offer strong enough privacy protections for Europeans, as shown by the Facebook-Cambridge Analytica data breach. Given EU dissatisfaction with the agreement, and the entry into force of the general data protection regulation, there are questions whether the self-certification system is as relevant anymore.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Members of the European Parliament pressed for better monitoring of the agreement, since Facebook and Cambridge Analytica are certified under Privacy Shield. They worried about recent enactment of the U.S. Clarifying Lawful Overseas Use of Data Act, which they said could have serious implications for the EU and conflict with EU data protection laws. An amended document will be available "in some days" and is expected to be voted on at the July plenary session, the committee told us.
It's unclear what impact the GDPR might have on Privacy Shield. European Data Protection Supervisor Giovanni Buttarelli said May 24 the GDPR provides a much higher standard of safeguards than the EU-U.S. deal. "You may say Privacy Shield is still there but is less relevant for me because the entire set of standards, including the transfer, should be subject to higher standards," he said, in reported remarks later confirmed to us. Buttarelli's approach is the same as that of the European Parliament, which pressed the European Commission to take all necessary measures to ensure that Privacy Shield fully complies with the regulation and the EU Charter so the EC decision that U.S. data protections are adequate doesn't "lead to loopholes or competitive advantage for US companies," an EDPS spokesman emailed.
The EU said it doesn't see Privacy Shield and the GDPR as alternative solutions. The trans-Atlantic agreement was built on the GDPR and now has more than 3,000 certified companies after a year and half, which testifies to its success, it said.
Buttarelli's approach seems to be that U.S. companies targeting individuals in the EU "must in any event need to comply with the GDPR ... and therefore do not need the Privacy Shield to be 'imposed' compliance with EU rules," emailed Linklaters (Brussels) data protection attorney Tanguy Van Overstraeten. Being subject to the GDPR as a non-EU company doesn't provide a valid mechanism for transferring personal data to the U.S., he said. Privacy Shield, which is such a mechanism, "still seems very useful," along with other solutions such as standard contractual clauses and binding corporate rules, he said.