European Parliament Threatens Suspension of Privacy Shield
On July 5, the European Parliament adopted a non-binding resolution recommending the suspension of the EU-U.S. Privacy Shield as an approved framework for transferring personal data from the EU to the U.S. if the U.S. is not fully compliant with the program by September 1, 2018.
The Privacy Shield is an agreement between the U.S. and EU allowing businesses to transfer personal data to the U.S. from the EU in compliance with EU data protection requirements. The Privacy Shield is necessary because the European Commission has previously determined that the United States’ existing privacy laws do not provide an adequate level of data protection as required by EU data protection laws. The inadequacy determination notwithstanding, the Privacy Shield is one of several approved and lawful bases for transferring data between the U.S. and the EU. Without one of these lawful bases, the European Parliament has determined that data transfers between the U.S. and EU are not sufficiently protected and violate EU and member-state laws.
The July 5 resolution finds that the Privacy Shield in its current form does not provide an adequate level of data protection as required by EU data protection laws. While the Privacy Shield has raised concerns in the past, the Privacy Shield has been met with increasing criticism of late. The July 5 resolution cites the recent Facebook-Cambridge Analytica data-sharing scandal—notably, both companies were Privacy Shield certified—as an example of the shortcomings of the Privacy Shield and the need for “proactive oversight and enforcement actions.” Parliament was also concerned with the new Clarifying Lawful Overseas Use of Data Act (CLOUD Act), a U.S. law that grants U.S. and foreign police access to personal data across borders. The resolution calls on the U.S. to better monitor companies that are certified under Privacy Shield and to remove companies that are not compliant with the Privacy Shield from the list maintained by the U.S. Department of Commerce. If the U.S. is not compliant by September 1, Parliament recommends full suspension of the program.
A suspension of the Privacy Shield would require companies to arrange for an alternative lawful mechanism to transfer data between the U.S. and EU. Two of the more popular options include using EU-approved standard contractual clauses or adopting binding corporate rules for data transfers between affiliated companies. Using standard contractual clauses would require new agreements between transferors and transferees in order to transfer personal data, unless the parties have already agreed to such terms as a fallback if the Privacy Shield is invalidated. Companies that fail to adopt an alternative cross-border data transfer mechanism may need to suspend their data transfers altogether.
Although the consequences of a Privacy Shield suspension would be severe for companies that rely on Privacy Shield, the European Parliament’s resolution is nonbinding and therefore serves only as a recommendation. Only the European Commission and the Court of Justice of the European Union have the power to suspend the Privacy Shield. The European Commission may choose to adopt the resolution, ignore it altogether, or seek to find a middle ground to improve the adequacy of the Privacy Shield’s protections. Additionally, the heightened criticism of the Privacy Shield could lead the Federal Trade Commission to increase enforcement actions. Earlier this month the Federal Trade Commission announced that it had reached a settlement with ReadyTech, a California company, for falsely claiming that it was “in the process of certifying” to the Privacy Shield. While ReadyTech had initiated an application in October 2016, the company did not complete the steps necessary to participate in the Privacy Shield.
For companies that rely on Privacy Shield for cross-border data transfers, it would be wise, if they haven’t done so already, to begin developing a back-up plan to legally transfer data between the EU and U.S. in case the Privacy Shield is declared invalid. Companies that have begun the Privacy Shield certification process, but have not completed the steps necessary to participate, should make sure they are on track to meet the requirements for participation. Otherwise, they may wish to consider an alternate onward transfer mechanism.