EU-U.S. Privacy Shield, another deal down the drain?
If your company transfers personal data of EU citizens to the United States (U.S.) on the basis of the Privacy Shield, be aware! On 5 July 2018, the European Parliament decided to suspend its support for the successor of the Safe Harbour framework, if the U.S. fails to comply with the European data protection rules by 1 September 2018.
What about international data transfers?
Under the General Data Protection Regulation (GDPR), a transfer of personal data to a country or an international organisation outside the EU may take place only if such country or organisation is able to ensure that the level of protection guaranteed by the GDPR is not undermined.
The ‘EU-US Privacy Shield’ is an agreement between the U.S. and the EU allowing U.S. companies to maintain an adequate level of data protection for transferring personal data from EU to the U.S. The Privacy Shield is a self-certification mechanism for US based companies. In order to be entitled to self-certify under the Privacy Shield, the U.S. company must be subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) or of the Department of Transportation (DoT). So, while the decision by a company to certify under the Privacy Shield is entirely voluntary, effective compliance is compulsory.
Before transferring personal data to a U.S. company that claims to be Privacy Shield certified, European businesses have to assess (via the U.S. Department of Commerce’s website) that the U.S. company indeed holds an active certification (to be renewed annually) and that the certification covers the personal data in question. For the transfer of personal data to U.S. companies that are not or no longer member of the Privacy Shield, other GDPR proof transfer mechanisms such as Binding Corporate Rules, Standard Contractual Clauses may be used for the transfer of personal data from the EU to the U.S.
In the shadow of the Safe Harbour regime
The Privacy Shield is the successor of the ‘EU-US Safe Harbour’ (2000) which regime was declared invalid by the EU Court of Justice after the judgment in the case of Maximillian Schrems v Data Protection Commissioner of October 2015. This was on the grounds that it was not strict enough on data protection for EU citizens. The Privacy Shield was introduced in less than one year after the Schrems-judgement. Although the Privacy Shield strengthened the protection of personal data in relation to transfers to the U.S., reactions remained critical. Concerns were raised about the commercial aspects and access by public authorities to data transferred under the Privacy Shield.
Why the suspension and concerns of the European Parliament?
Following the Facebook-Cambridge Analytica data breach, members of the European Parliament (EP) now emphasize the need for better monitoring of the Privacy Shield, given that both companies were certified thereunder. The EP calls on the U.S. authorities to act upon such these type of breaches without delay and where necessary, remove companies from the Privacy Shield-list. Also the EU authorities should investigate these cases and where appropriate, suspend or ban data transfers under the Privacy Shield.
The EP members are also worried about the recent adoption of the Clarifying Lawful Overseas Use of Data Act (the ‘CLOUD Act’), which grants the U.S. government and foreign police with the power to oblige U.S. electronic communication / cloud providers to grant them access to personal data from customers across borders. The CLOUD Act could have serious implications for the EU. It could very well conflict with EU data protection law.
Considering the above, the EP takes the view that the Privacy Shield in its current form does not provide the adequate level of protection as required under EU data protection rules and, thus, voted for suspension of the Privacy Shield until the U.S. authorities comply with its terms. It is now up to the European Commission to decide on the future of the Privacy Shield.