The EU-US Privacy Shield is one of the legal mechanisms enabling the transfer of personal data outside the European Economic Area to US companies that have self-certified to a number of privacy principles (which correspond to EU data protection requirements). The Privacy Shield replaced the Safe Harbour scheme and came into effect almost two years ago in August 2016. Since then it has faced numerous criticisms and legal challenges and is under scrutiny once again, facing possible suspension and even invalidation.
The first annual review of the Privacy Shield was conducted in September last year. The European Commission concluded that the framework “continues to ensure an adequate level of protection for the personal data transferred” but identified and reported on a number of improvements. For more information on this review, please refer to our previous blog post here.
The Article 29 Working Party (now the European Data Protection Board) produced its report on the Privacy Shield in November 2017. It identified a number of concerns and gave until May 25th of this year for those concerns to be addressed or threatened legal challenge. To date, those concerns have not been addressed. For more information on this report, please refer to our previous blog here.
The Civil Liberties Committee has now passed a motion recommending that the European Commission suspend the Privacy Shield unless the US come into full compliance with the Privacy Shield agreement by September 1st. The Committee stated that it wants the US to do something about the privacy scandals without delay, and remove companies that have misused personal data from the Privacy Shield register. The European Parliament is due to vote on the text of the motion in July.
Chair of the Committee, UK MEP Claude Moraes, said: “While progress has been made to improve on the Safe Harbor agreement, the Privacy Shield in its current form does not provide the adequate level of protection required by EU data protection law and the EU Charter. It is therefore up to the US authorities to effectively follow the terms of the agreement and for the Commission to take measures to ensure that it will fully comply with the GDPR.”
Digital Rights Ireland (a civil, human and legal rights campaigner) has already challenged the Privacy Shield and the Irish High Court referred the case to the European court for determination (CJEU).
While we wait for the outcome of the European Parliament vote and the CJEU decision, the Privacy Shield remains a valid mechanism for transferring personal data to Privacy Shield certified companies. However, it would be prudent for those companies relying on the Privacy Shield framework to put in place an additional or alternative safeguard, such as Binding Corporate Rules or EU Commission approved model clauses.
For more information on the Privacy Shield, please refer to the following previous Password Protected blog posts: