EU Parliament sets two-month deadline for Privacy Shield suspension

The resolution calls on a halt to data sharing under the agreement if the US fails to comply

The European Parliament has said the Privacy Shield agreement, which governs the transfer of data between the EU and US, should be suspended if the US doesn't ensure it's compliant with GDPR by 1 September.

MEPs believe that the agreement fails to offer 'essentially equivalent' safeguards to those guaranteed within the European Union, and therefore the agreement should be suspended.

Advertisement - Article continues below

The resolution, which passed with a 303 to 223 vote in favour, states that "the current Privacy Shield arrangement does not provide the adequate level of protection required by Union data protection law and the EU Charter as interpreted by the European Court of Justice".

"...unless the US is fully compliant by 1 September 2018, the Commission has failed to act in accordance with Article 45(5) GDPR; calls therefore on the Commission to suspend the Privacy Shield until the US authorities comply with its terms."

The resolution follows a similar decision by the Civil Liberties (Libe) Committee last month, which called for the suspension of the agreement after the discovery of the improper sharing of Facebook user data by Cambridge Analytica.

Despite recent revelations that 87 million Facebook users had their data improperly shared with third-parties through Cambridge Analytica, the company remains listed as an active member of the Privacy Shield agreement.

Advertisement - Article continues below
Advertisement - Article continues below

MEPs argued that the "revelations clearly show that the Privacy Shield mechanism does not provide adequate protection of the right to data protection", and that such companies should be sanctioned and removed from the Privacy Shield list.

Privacy Shield has been a less than perfect solution since its introduction in 2016, rushed into place following the scrapping of the Safe Harbour agreement - itself ruled ineffective by the European Court of Justice.

The EU has criticised its effectiveness and questioned how committed the US is to the agreement, particularly as the Privacy and Civil Liberties Oversight Board, responsible for governing the agreement on the US side, still only has one official board member.

The European Parliament supports the view of the Article 29 Working Party, the EU's collection of member state data protection officials, that despite progress since the first annual review of the agreement there remain "unresolved issues of significant concern".

Advertisement - Article continues below

Pressure is now mounting to address unresolved concerns ahead of its second annual review, due to take place in October.

These include the levels of access US public authorities have to data transferred under Privacy Shield, as well as concerns around the handling of 'bulk data'. The definition of what constitutes 'national security', or the definition of 'targets' and 'tasking of selectors' in relation to bulk data collection are said to be unclear and insufficient.

The statement raises "concerns about Executive Order 12333, which allows the NSA to share vast amounts of private data gathered without warrants, court orders or congressional authorisation with 16 other agencies, including the FBI, the Drug Enforcement Agency and the Department of Homeland Security", and the lack of any judicial review of surveillance activities.

The resolution also expressed concern over the recent 'Enhancing Public Safety in the Interior of the United States' executive order, signed into force by President Trump, that stripped away data protections for non-US citizens.

Advertisement - Article continues below

While not specifically related to Privacy Shield, the parliament said it gives an indication as to the "intention of the US executive to reverse the data protection guarantees previously granted to EU citizens and to override the commitments made towards the EU during the Obama Presidency".

The final decision will now rest with the European Commission, however, an outright suspension of the deal would likely create chaos for the approximately 4,000 companies currently operating under the framework.

Despite the mounting pressure from within the EU, the Commission itself appears to support Privacy Shield in its current form. In response to the resolution, a Commission spokesperson told Techcrunch: "The Commission's position is clear and laid out in the first annual review report. The first review showed that the Privacy Shield works well, but there is some room for improving its implementation".

He added that it would continue to work with the US administration with the aim of keeping Privacy Shield running.

Image: Shutterstock

  • privacy
  • General Data Protection Regulation (GDPR)
Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now

Most Popular

Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020

How to find RAM speed, size and type

24 Jun 2020
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020