Members of the European Parliament (MEPs) have said that the Privacy Shield should be suspended in wake of the recent Facebook data scandal and the GDPR.
In 2016, the European Commission adopted the EU-U.S. Privacy Shield. The Privacy Shield is a framework agreed by the European Union in the United States after the European Court invalidated the ‘Safe Harbor’ framework. This was due to the ‘Safe Harbor’ offering inadequate protection for EU personal data under the fundamental rights of Europe.
The Privacy Shield offers stronger protection (over the Safe Harbor) for transatlantic data flows. This new framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States as well as bringing legal clarity for businesses relying on transatlantic data transfers.
Following the new framework, many lawyers doubted that the new agreement would be compatible with the GDPR legislation. Data protection lawyer Sheila Fitzpatrick predicted that the deal would have to be renegotiated.
In 2016 she said, “The Privacy Shield may have to be renegotiated in 2018 because the GDPR obviously puts many more obligations, responsibilities and accountabilities onto any not just US-based multinational companies but any organisation that does business in Europe.“
Months ago we wrote an article asking the question: If a company is self-certified under the Privacy Shield, would that mean the company would be automatically in compliance with GDPR?
At that time, it appeared to be rather a grey area. It was obvious that there would be issues – it wasn’t a matter of ‘if’ rather than ‘when’.
When is now.
In the beginning on June, The European Parliament said the Privacy Shield agreement should be suspended unless the US complied with it by 1st September 2018. They said the Privacy Shield should remain suspended “until the US authorities comply with its terms in full”.
Due to the Facebook-Cambridge Analytica data breach, the MEPs urged for better monitoring of the agreement. In a statement, the MEPs called on the US authorities “to act upon such revelations without delay and if needed, to remove companies that have misused personal data from the Privacy Shield list”. They also said that the EU authorities should investigate such cases and where appropriate – suspend or not allow data transfers under the Privacy Shield.
In addition to that, the MEPS said they were also concerned about the recent adoption of the Clarifying Lawful Overseas Use of Data Act (Cloud Act), a US law that grants the US and foreign police access to personal data across borders. They said the US law could have serious implications for the EU and it could conflict EU data protection laws.
The Civil Liberties Committee chair and rapporteur Claude Moraes said that the LIBE committee had adopted a clear position on the EU US Privacy Shield agreement. Although progress had been made to improve on the Safe Harbor agreement, the Privacy Shield in its current form does not provide the adequate level of protection required by EU data protection law and the EU Charter.
There is a need for the US authorities to effectively follow the terms of the agreement and for the Commission to take measures to ensure that it will fully comply with the GDPR.
A vote is due to be taken by the full parliament in July after the resolution was passed 29 votes to 25 with 3 abstentions.
Should the Privacy Shield be suspended following the Facebook data scandal? We think so.
Never before have the data protection laws between the USA and EU been so diametrically opposite.The Cloud Act is the most recent step in a long line of US invasions of data privacy.
The EU Article 29 Working Party (Now replaced by the European Data Protection Board) had warned that Privacy Shield was inadequate for compliance with the GDPR.
Max Schrems had challenged the US Safe Harbor agreements data privacy adequacy (and won) in the European courts. He also is challenging Privacy Shield as covered in our previous article.
Now that a full European parliamentary vote to suspend US Privacy Shield is due this month (July 2018), a pending suspension for the US-EU agreement could be devastating for trade and information security between US and EU countries (yes that means you as well UK).
Are we surprised? Not really! But what does this mean for your business?
Seeing as the three biggest worldwide cloud services providers (Google, Amazon and Microsoft) are US based, now is not a good time to be risking your business data model on cloud-based data.
Even if you can get agreement that your business data could be stored in a European-based data farm of these US providers, the cloud act and privacy shield will render the protections ensured by the EU GDPR null and void for your customers rights, if the US does not act quickly.
Know your rights. Be.Infoready