Editor's note: This story was updated at 10:30 a.m. on July 6 to reflect comments from the Department of Commerce.
While the U.S. was busy celebrating Independence Day July 4 with barbecues and fireworks, the European Parliament was debating the future of the Privacy Shield deal. The conclusion? Today, Parliament voted for its suspension.
The non-binding resolution was passed 303 to 223 votes, with 29 abstentions, and calls on the executive arm of the EU, the European Commission, to suspend the data-sharing deal “unless the U.S. is fully compliant” by Sept. 1.
Privacy Shield is the “gentlemen’s agreement” that came into force in 2016 after Safe Harbor was struck down. Like its predecessor, the arrangement allows the transfer of personal data from the EU to U.S. companies that have promised to adhere to European data protection standards.
However, Privacy Shield has been dogged by controversy since its inception, and Parliament’s own civil liberties committee found that the current Privacy Shield arrangement “does not provide the adequate level of protection.” This view has likely been reinforced by three recent hearings on the Facebook-Cambridge Analytica scandal where MEPs were left vexed by a lack of clear answers.
In their resolution, MEPs emphasized “the need for better monitoring of the agreement, given that both companies are certified under the Privacy Shield,” and expressed concern that “data breaches may pose a threat to democratic processes if data is used to manipulate political opinion or voting behaviour.”
The recent adoption of the U.S. Clarifying Lawful Overseas Use of Data Act (CLOUD Act), that allows police access to personal data across borders is also a worry and potentially in contravention of EU data protection laws.
British MEP Claude Moraes, who chairs the civil liberties committee and spearheaded the action against Privacy Shield, was pleased with the vote.
“This resolution makes clear that the Privacy Shield in its current form does not provide the adequate level of protection required by EU data protection law and the EU Charter. Progress has been made to improve on the Safe Harbor agreement but this is insufficient to ensure the legal certainty required for the transfer of personal data. The law is clear and, as set out in the GDPR, if the agreement is not adequate, and if the US authorities fail to comply with its terms, then it must be suspended until they do.”
A spokesperson for the U.S. Department of Commerce told The Privacy Advisor that Commerce is "surprised and disappointed the European Parliament disregarded the considerable information we provided — at the Parliament's express request — regarding the Trump Administration's commitment to the full functioning of Privacy Shield." Commerce called the information in the resolution "inaccurate and misleading" and said it "creates uncertainty for both U.S. and EU companies and consumers, and puts at risk the world's largest commercial relationship."
Paul Breitbarth, director at Nymity, said of the Septmeber 1 date: “That’s a pretty short deadline to renegotiate the Privacy Shield to make it GDPR compliant as well. The Shield is still based on the now defunct directive 95/46, and I doubt that they will be able to manage before the deadline. It takes two to tango, and the current U.S. administration does not seem to have privacy front of mind so far, unfortunately.”
Under the GDPR, important new notions like the right to data portability and additional obligations on data controllers, including the need to carry out data protection impact assessments and to comply with the principles of privacy by design and privacy by default, should be included in the Privacy Shield. That would require a renegotiation and approval, all within a few weeks. Breitbarth was skeptical such a feat could be managed.
However, not all MEPs were so keen to see Privacy Shield overhauled to make it fit for purpose. ECR Group MEP Dan Dalton called the vote “irresponsible and unrealistic,” and said it “could leave EU citizens in legal limbo."
He added, "Ultimatums from the European side may sound good to some politicians and their supporters, but in practice would be a disaster for people and businesses."
However, even Dalton concedes that the resolution “does make a number of useful recommendations to improve implementation, such as appointing a permanent Privacy Shield Ombudsman.”
The Computer & Communications Industry Association also cautioned against “a rushed suspension of this arrangement.”
CCIA Europe Senior Manager Alexandre Roure said, “Privacy Shield has extended EU privacy standards globally while safeguarding international data flows which European firms and Europe’s economy rely on."
Parliament's resolution is non-binding, so the European Commission can choose to ignore it. However an annual review of the Shield is due in September, and the executive may take the opportunity of the Parliament resolution and the introduction of GDPR to push for tighter safeguards. However, with almost 3,000 companies currently voluntarily registered as part of the framework, a full suspension is still a long way off.
Relatedly, the U.S. Federal Trade Commission recently settled with a California company over its false claims it was in the process of being certified under the Privacy Shield agreement. New FTC Chairman Joseph Simons said the settlement "demonstrates the FTC’s continuing commitment to vigorous enforcement of the Privacy Shield."
That development, however, clearly wasn't enough to sway Parliament for now.
For the commission's part, it added that it "welcomed Commissioner Jourová’s statement that, 'all elements on which our adequacy finding was based have remained in place since the new U.S. Administration took office,'" and that it agrees "that Privacy Shield cannot function unless both sides work together to support it."
If you want to comment on this post, you need to login.