If yesterday's vote on the current international data-transfer agreement between the EU and U.S. at the Civil Liberties Committee hearing is any indication, Privacy Shield may be inching closer to the fate of its predecessor Safe Harbor, which went down like a punctured vessel in 2015. The question is whether the Commission shares the opinion of Parliament's LIBE Committee.
Further, the committee only narrowly passed its resolution, 29 to 25, to ask the European Commission to suspend Privacy Shield unless the U.S. gets its act together before September 1, citing the deal's failure to adequately protect EU citizens. It said Shield should remain suspended indefinitely "until the U.S. authorities comply with its terms in full." Now the resolution moves to Parliament as a whole, which is likely to vote on it in July, but won't necessarily follow LIBE's lead.
The LIBE vote follows the Facebook/Cambridge Analytica revelations involving the improper handling of user data gleaned from the social network for political purposes and appearances before Parliament by both Facebook CEO Mark Zuckerberg and whistleblower Chris Wylie. Both Cambridge Analytica and Facebook are currently certified under Privacy Shield, which MEPs pointed to as reason the U.S. must do a better job supervising the agreement for it to survive.
LIBE is calling on the U.S. to take action against companies self-certifying under Privacy Shield but in fact using data in nefarious ways "without delay" by removing them from the Privacy Shield list. It also called for EU authorities to investigate and ban data transfers in cases where companies are found to have misrepresented data practices.
While it passed muster in its first annual review, though with some recommendations for improvement, the Shield is up for its second annual review this fall. As that date approaches, said Privacy Shield Director Caitlin Fennessy in a statement to The Privacy Advisor, the U.S. Department of Commerce continues to work closely with the European Commission on implementation, and for good reason: The Department of Commerce has seen more than 1,000 new companies seeking to join the Privacy Shield in just the last month.
"This demonstrates the critical importance of our work together to ensure the Privacy Shield Framework continues to support transatlantic data protection and trade," Fennessy said, adding Commerce has worked to enhance the program as well as its outreach and oversight over the last year. "We look forward to working with all of our European partners in the months ahead and meeting with LIBE Committee representatives during their planned visit to Washington in July.”
LIBE Chair and Rappoertuer Claude Moraes said in a press release, "The LIBE committee today adopted a clear position on the EU US Privacy Shield agreement. While progress has been made to improve on the Safe Harbor agreement, the Privacy Shield in its current form does not provide the adequate level of protection required by EU data protection law and the EU Charter. It is therefore up to the US authorities to effectively follow the terms of the agreement and for the Commission to take measures to ensure that it will fully comply with the GDPR."
Eduardo Ustaran, CIPP/E, of Hogan Lovells, however, said the LIBE vote shouldn't be a surprise to anyone. After all, the European Parliament has been an "ardent critic" of the Privacy Shield from the outset and there's no indication that will change any time soon.
"If anything, this is a reminder that transfers of data outside of the EU, particularly to the U.S., remain an area of political focus," Ustaran said. "The real test will come later this summer when the European Commission and the EDPB issue their respective progress reports after two years of operation. For organizations in the EU and the U.S., those two institutions are the ones that matter when deciding whether to invest in relying on the Privacy Shield to legitimize their data flows."
In just under two years, Privacy Shield already has more than 3,000 certified organizations and is rapidly approaching the number of participating organizations that Safe Harbor gathered in nearly 15 years.
Meanwhile, LIBE also sounded concerns about the U.S.'s recent passage of the Clarifying Lawful Overseas Use of Data Act (known as the CLOUD Act), which allows U.S. law enforcement access personal data overseas.
Photo credit: archer10 (Dennis) 104M Views Poland-00765 - Mermaid Legend via photopin (license)