A vote by European Union lawmakers seeking to suspend Privacy Shield could spell bad news for businesses that have built their GDPR compliance strategy on adherence to the EU-U.S. data transfer agreement’s principles.
The EU’s General Data Protection Regulation, like its predecessor the Data Protection Directive, authorizes the export of EU citizens’ personal information only to jurisdictions that provide an adequate level of privacy protection.
Privacy Shield, an agreement signed by EU and U.S. officials in 2016, seeks to reconcile the different levels of legal protection afforded on each side of the Atlantic, allowing businesses to export EU citizens’ data to the U.S. for processing.
The EU’s executive body, the European Commission, ruled in 2016 that the Privacy Shield deal provided adequate protection for personal information, but called for it to be reviewed annually.
It’s with an eye on the next review of the agreement, in September, that Members of the European Parliament called for the deal to be suspended in a vote on July 5.
The Parliament’s resolution on Privacy Shield identified several areas in which U.S. authorities had not yet met their commitments under the agreement, despite having been given a deadline of May 25, 2018.
The U.S. Senate has still not ratified the appointment of three members of the Privacy and Civil Liberties Oversight Board (PCLOB), including its chairman. That’s preventing the board from fulfilling “its missions of preventing terrorism and ensuring the need to protect privacy and civil liberties,” the resolution noted.
Another oversight mechanism, that of the Privacy Shield Ombudsperson, is also lacking, the resolution said. The resolution deplored a lack of clarity about the Ombudsperson’s powers, and called for a permanent appointee to the role, issues that prevent effective redress for EU citizens.
The Department of Commerce also came in for criticism. The Parliament expressed concerns that companies had been allowed to claim they had Privacy Shield certification before Department of Commerce officials had added them to the official list, and regretted that officials did not do more to verify companies’ compliance, which largely depends on self-certification.
The Parliament’s vote is non-binding: Privacy Shield can only be overturned by the Commission, or by the EU’s highest court, the European Court of Justice. It was the ECJ that invalidated the Safe Harbor agreement that Privacy Shield replaced. However, it will be difficult for the Commission to dismiss the Parliament’s criticisms and prolong the Privacy Shield deal if U.S. authorities do not move to address them before September.
The European Data Protection Board, composed of national data protection authorities from across the EU, is also closely monitoring moves by the U.S. to comply with its obligations under Privacy Shield. EDPB is still awaiting the appointment of a permanent Privacy Shield Ombudsperson in the U.S., and is concerned about a lack of information on the Ombudsperson mechanism, especially on how the Ombudsperson interacts with the intelligence services.
Ahead of the Parliament’s vote, groups representing businesses relying on Privacy Shield warned that suspension of the deal would damage transatlantic trade.
The American Chamber of Commerce in Germany said it wants the flow of data to continue while improvements to the deal are put in place. The Computer & Communications Industry Association (CCIA) cautioned against a rushed suspension of the arrangement, which it said has already seen many improvements since its introduction.
A delegation from the Parliament's Civil Liberties Committee will visit Washington next week, seeking answers from administration officials and Congress. If they aren't forthcoming, September's review of Privacy Shield could prove problematic for businesses on both sides of the Atlantic.