On July 5, 2018, the EU Parliament passed a non-binding resolution encouraging the European Commission to suspend the EU-US Privacy Shield Program unless the US is fully compliant by September 1, 2018. The EU Parliament believes that the current Privacy Shield program does not provide an adequate level of protection required by European law. This comes roughly two years after the European Commission deemed the EU-US Privacy Shield Framework adequate to enable data transfers under EU law. But a lot has changed in two years.
In its resolution (in draft form), the Parliament points to several concerns with the EU-US Privacy Shield program. Notably, the Parliament uses the Facebook-Cambridge Analytica saga (both companies are Privacy Shield certified) as proof of the program’s inadequacy and the US’ failure to monitor the program sufficiently. Further, the Parliament questions two recent US legislative actions as potentially being at odds with EU privacy principles: the recent passage of the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) and the January 2018 reauthorization of warrantless searches under the Foreign Intelligence Surveillance Act (FISA).
Earlier this week, the Federal Trade Commission (FTC), one of the US agencies charged with enforcing Privacy Shield, announced a settlement with a California on-line training company that falsely claimed it was in the process of obtaining the EU-US Privacy Shield certification. In its press release, the FTC boasts that this is the fourth case it has brought enforcing the Privacy Shield. This obviously did not impress the Parliament.
The good news for the more than 3,100 organizations that voluntarily participate in Privacy Shield is that the Parliament does not have the authority to suspend the program. Only the EU Commission or the Court of Justice of the European Union can do so and neither has taken action yet. The EU Commission is slated to perform an annual review of the program in October. We will continue to monitor any further developments.