European Parliament calls for suspension of Privacy Shield

A majority in the European Parliamentarians has supported calls for the suspension of the Privacy Shield framework for transatlantic data transfers if the US fails to comply fully by 1 September 2018.

The full house approved a resolution passed in June by 29 votes to 25 by the European Parliament’s Civil Liberties Committee.

Privacy Shield fails to provide enough data protection for EU citizens and the data exchange deal should be suspended unless the US complies with EU data protection rules by the deadline, MEPs said in a resolution passed by 303 votes to 223.

Members of the European Parliament (MEPs) said the deal should remain suspended until the US authorities comply with its terms in full, adding that the Facebook-Cambridge Analytica data exploitation scandal emphasises the need for better monitoring of the agreement, given that both companies are certified under the Privacy Shield.

The MEPs called on the US authorities to act upon such revelations without delay, and if necessary to remove companies that have misused personal data from the Privacy Shield list. They said EU authorities should also investigate such cases and, if appropriate, suspend or ban data transfers under the Privacy Shield.

MEPs who voted in favour of the resolution expressed concerns that data breaches may pose a threat to democratic processes if data is used to manipulate political opinion or voting behaviour. They are also worried about the recent adoption of the Clarifying Lawful Overseas Use of Data (Cloud) Act that grants the US and foreign police access to personal data across borders.

MEPs said the new US law may have serious implications for the EU and could conflict with EU data protection laws.

In calling for the suspension of the agreement in June, MEPs raised concerns that US authorities were not fully adhering to the terms of the agreement, and that the US administration, under president Donald Trump, was rolling back privacy safeguards and stepping up surveillance through executive orders.

Civil Liberties Committee chair and rapporteur Claude Moraes of the UK said the resolution makes clear that the Privacy Shield in its current form does not provide the adequate level of protection required by EU data protection law and the EU Charter. “Progress has been made to improve on the Safe Harbour agreement but this is insufficient to ensure the legal certainty required for the transfer of personal data,” he said.

In the wake of data breaches like the Facebook and Cambridge Analytica scandal, Moraes said it is more important than ever to protect our fundamental right to data protection and ensure consumer trust.

“The law is clear and, as set out in the GDPR, if the agreement is not adequate, and if the US authorities fail to comply with its terms, then it must be suspended until they do,” he said.

The Privacy Shield framework, approved in July 2016, is an agreement between the US and the EU allowing US companies considered to have an adequate level of data protection to transfer personal data from EU to the US.

The EU-US Privacy Shield is the successor to the 2,000 Safe Harbour framework, which was declared invalid by the Court of Justice of the European Union (CJEU) in October 2015 on the grounds that it was not strict enough on data protection for EU citizens.

The latest calls for the suspension of the agreement come just over a year after MEPs called on the European Commission to reassess Privacy Shield due to concerns over US privacy safeguards.