Is this the end of US Privacy Shield?

Last week the European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE) called on the EU Commission to suspend the EU-US Privacy Shield agreement, saying Privacy Shield doesn’t provide enough protection for EU citizens’ data.

What’s Privacy Shield?

Privacy Shield was adopted in 2016, replacing the previous agreement (Safe Harbor) which had been determined in 2015, to be inadequate in meeting EU standards of data protection.

In essence the Privacy Shield provides the grounds by which US businesses can demonstrate they meet the requirements of EU standards of data protection compliance. The GDPR, as with previous incarnations of EU data protection legislation, requires that any international transfers of personal data should only be done in countries where there are adequate data protection regimes in place.

There is a small list of countries deemed to have adequate data protection laws but the US isn’t one of them, so the Privacy Shield is a separate agreement between the US government and the EU to allow US businesses to sign up to the agreement and in turn sign up to the principles of EU data protection legislation.

The problem

However, the LIBE committee are suggesting, there are concerns about the efficacy of the agreement, it seems, based on two particular issues:

  1. The Facebook and Cambridge Analytica scandal, where both companies are signatories
  2. A possible conflict with a new US law, Clarifying Lawful Overseas Use of Data Act (CLOUD Act) that grants the US and foreign police access to personal data across borders and may be in conflict with EU data protection standards

It appears that the real issue is that there is no clear ombudsman in the US to monitor signatories to Privacy Shield and therefore general compliance, particularly with the GDPR.

The final draft of the resolution will be voted on in July, but the Civil Liberties Committee Chair and rapporteur Claude Moraes (S&D, UK) said: “The LIBE committee today adopted a clear position on the EU US Privacy Shield agreement. While progress has been made to improve on the Safe Harbor agreement, the Privacy Shield in its current form does not provide the adequate level of protection required by EU data protection law and the EU Charter. It is therefore up to the US authorities to effectively follow the terms of the agreement and for the Commission to take measures to ensure that it will fully comply with the GDPR.”

The US are likely to have until September to demonstrate their commitment (and enforcement) of the agreement otherwise the agreement may be withdrawn.

What withdrawal of Privacy Shield could mean for UK businesses

Probably one of the main issues for UK businesses will be all the third-party services being used (mainly cloud-based) that are US based (MailChimp, Microsoft, Google, etc.) who are all signed up to the Privacy Shield. If the agreement is withdrawn by the EU then potentially anyone using these US services is unlikely to be able to demonstrate GDPR compliance and due diligence against their third-party processors. This will mean that business will need to look at alternative, probably contractual, relationships with these providers or look for EU based providers instead.

That said, with Brexit round the corner, this could all be a moot point depending on what happens with the position on data protection and the UK and whether we will need a separate agreement with the US, or possibly even with the EU if they don’t believe the UK has adequate protections in place (because of other UK laws).