EU-US Privacy Shield on the chopping block? (Loyens & Loeff)
Date of publication: 22/08/2018
The EU – US Privacy Shield was adopted in July 2016 as a replacement of the Safe Harbor regime, which was struck down by the EU Court of Justice (“CJEU”). Both regimes secured the transfer of personal data between the EU and the US. In order to receive personal data from the EU for commercial purposes, and in the absence of another legal ground for such data transfer, US companies have to self-certify with the US Department of Commerce and publicly engage themselves to respect the Privacy Shield’s requirements.
EU – US Privacy Shield suspension demanded if US does not comply by 1 September 2018
On 5 July 2018, the European Parliament issued a Resolution stating that the Members of the European Parliament (“MEPs”) request the European Commission to suspend the EU – US Privacy Shield, as it does not effectively procure adequate personal data protection for EU citizens.
According to the MEPs, this suspension should be ordered by the European Commission unless the US abides by the EU standards for personal data protection by 1 September 2018, and until the US complies entirely with such standards.
Aftermath of the Facebook / Cambridge Analytica data breach
In reaction to the Cambridge Analytica scandal, the MEPs called for stronger supervision of the Privacy Shield. They now demand the US authorities to react accordingly, including by removing the companies that failed to comply from the Privacy Shield certification list.
In addition, also the EU data protection authorities should use their examination and sanctioning powers, and should consequently interrupt or ban certain data transfers currently taking place under the umbrella of the Privacy Shield. Self-certification should not lead to loopholes or competitive advantages for US companies.
A probability more than a possibility?
One could assume, given the recent changes in the US legislation, that it will be difficult to comply with the requirements set forth by the European Parliament on such short notice. Indeed, the US Congress recently enacted the Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”), granting US and foreign police access to personal data across borders. The adoption of the CLOUD Act could therefore even increase the tensions and the conflict with the EU data protection standards enshrined in the GDPR.
On the other side of the spectrum, the recent adoption of the California Consumer Privacy Act indicates a clear willingness at the level of individual State governments to protect individual privacy, with some measures that even go beyond the European GDPR standards.
Only time will tell whether and how the EU and US government will be able to make the EU – US Privacy Shield a reliable and robust framework for international data transfers.
In the meanwhile, not the European Parliament, but only the European Commission has the power to suspend or revise the Privacy Shield framework, notwithstanding the power of the EU Court of Justice to invalidate the European Commission’s decisions. And while the Resolution of the European Parliament is not binding on the European Commission (or on the CJEU), it is definitely a strong political signal. With, on top of this, a case for the invalidation of the Privacy Shield (initiated by Max Schrems) currently pending before the CJEU, the future of the Privacy Shield does not look very bright …
More information on the Privacy Shield can be found here and in our previous newsflash concerning cross-border data transfers. More background information can be found in the Press Release on the European Parliament’s Resolution.