The EU Parliament has asked the Commission to end the EU-US Privacy Shield if the US doesn’t comply with its terms by 1 September 2018. The Parliament says that the Privacy Shield - which enables EU-US data flows - doesn’t provide the ‘adequate’ level of protection required by EU law. Organisations that rely on the Privacy Shield should monitor these developments closely as they may need to rely on another data transfer mechanism if the Privacy Shield is declared invalid.
EU data protection law - the GDPR - prohibits the export of personal data from the EEA to countries that don’t provide ‘adequate’ data protection. In 2016, the EU decided that the Privacy Shield provided adequate safeguards, so that organisations within the framework could lawfully send personal data from the EU to the US. The Privacy Shield was put in place after the previous arrangement to export personal data to the US (Safe Harbor) was struck down by the CJEU in 2015.
The Parliament’s recent decision - in the form of a non-binding resolution - highlights the Privacy Shield’s weakness in protecting privacy rights, and the increasing risk that the CJEU might strike it down. Although the resolution is non-binding, and the Commission can choose to ignore it, it shows a real concern about the arrangements between the EU and the US. The resolution reminds the Commission about its duty under GDPR to repeal, amend or suspend any adequacy decision that no longer provides adequate protection. The Parliament is concerned that adequacy decisions should have no loopholes that US companies can exploit for competitive advantage.
In considering the Parliament’s resolution, the Commission will no doubt be mindful that almost 3,000 companies are registered with the Privacy Shield and will want to avoid the legal uncertainty that occurred when the Safe Harbour was struck down. This makes it unlikely that the Privacy Shield will be repealed or suspended in the immediate future. However, the second annual review of the Privacy Shield is due in the autumn – its future might become clearer then.
Our data team is close to the decision-making process in Brussels and can provide regular updates on these and other developments –including the proposed new rules on ePrivacy and on non-personal data. Please contact us if you want to know more.