EU Parliament sets two-month deadline for Privacy Shield suspension

The European Parliament has said the Privacy Shield agreement, which governs the transfer of data between the EU and US, should be suspended if the US doesn't ensure it's compliant with GDPR by 1 September.

MEPs believe that the agreement fails to offer 'essentially equivalent' safeguards to those guaranteed within the European Union, and therefore the agreement should be suspended.

The resolution, which passed with a 303 to 223 vote in favour, states that "the current Privacy Shield arrangement does not provide the adequate level of protection required by Union data protection law and the EU Charter as interpreted by the European Court of Justice".

"...unless the US is fully compliant by 1 September 2018, the Commission has failed to act in accordance with Article 45(5) GDPR; calls therefore on the Commission to suspend the Privacy Shield until the US authorities comply with its terms."

The resolution follows a similar decision by the Civil Liberties (Libe) Committee last month, which called for the suspension of the agreement after the discovery of the improper sharing of Facebook user data by Cambridge Analytica.

Despite recent revelations that 87 million Facebook users had their data improperly shared with third-parties through Cambridge Analytica, the company remains listed as an active member of the Privacy Shield agreement.

MEPs argued that the "revelations clearly show that the Privacy Shield mechanism does not provide adequate protection of the right to data protection", and that such companies should be sanctioned and removed from the Privacy Shield list.

Privacy Shield has been a less than perfect solution since its introduction in 2016, rushed into place following the scrapping of the Safe Harbour agreement - itself ruled ineffective by the European Court of Justice.

The EU has criticised its effectiveness and questioned how committed the US is to the agreement, particularly as the Privacy and Civil Liberties Oversight Board, responsible for governing the agreement on the US side, still only has one official board member.

The European Parliament supports the view of the Article 29 Working Party, the EU's collection of member state data protection officials, that despite progress since the first annual review of the agreement there remain "unresolved issues of significant concern".

Pressure is now mounting to address unresolved concerns ahead of its second annual review, due to take place in October.

These include the levels of access US public authorities have to data transferred under Privacy Shield, as well as concerns around the handling of 'bulk data'. The definition of what constitutes 'national security', or the definition of 'targets' and 'tasking of selectors' in relation to bulk data collection are said to be unclear and insufficient.

The statement raises "concerns about Executive Order 12333, which allows the NSA to share vast amounts of private data gathered without warrants, court orders or congressional authorisation with 16 other agencies, including the FBI, the Drug Enforcement Agency and the Department of Homeland Security", and the lack of any judicial review of surveillance activities.

The resolution also expressed concern over the recent 'Enhancing Public Safety in the Interior of the United States' executive order, signed into force by President Trump, that stripped away data protections for non-US citizens.

While not specifically related to Privacy Shield, the parliament said it gives an indication as to the "intention of the US executive to reverse the data protection guarantees previously granted to EU citizens and to override the commitments made towards the EU during the Obama Presidency".

The final decision will now rest with the European Commission, however, an outright suspension of the deal would likely create chaos for the approximately 4,000 companies currently operating under the framework.

Despite the mounting pressure from within the EU, the Commission itself appears to support Privacy Shield in its current form. In response to the resolution, a Commission spokesperson told Techcrunch: "The Commission's position is clear and laid out in the first annual review report. The first review showed that the Privacy Shield works well, but there is some room for improving its implementation".

He added that it would continue to work with the US administration with the aim of keeping Privacy Shield running.

Image: Shutterstock

Dale Walker

Dale Walker is the Managing Editor of ITPro, and its sibling sites CloudPro and ChannelPro. Dale has a keen interest in IT regulations, data protection, and cyber security. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.