Brussels, 12/06/2018. The Civil Liberties committee of the European Parliament (LIBE) has called on the EU Commission to suspend the EU/US Privacy Shield agreement on data exchange of personal data, since this (relatively new) agreement still fails to provide sufficient data protection for EU citizens.
Privacy Shield should be suspended unless the US complies with it by 1 September 2018, said the committee’s MEPs, in a resolution passed by 29 votes to 25, with three abstentions. They added that the US authorities need to comply with the agreement terms in full.
The recent Facebook / Cambridge Analytica data-breach scandal has shown how the agreement falls down in practice (both companies were certified under Privacy Shield). LIBE committee members have emphasised the need for better monitoring of the agreement, and call on the US authorities to act on such revelations without delay.
The committee has also recommended that companies on the Privacy Shield register which misuse personal data should be removed from the register without delay. EU authorities need to investigate such cases, and if necessary suspend or ban data transfers under the agreement. The full European Parliament is expected to vote on the decision in July.
LIBE committee chair Claude Moraes (S&D, UK) said, “The committee today adopted a clear position on the EU/US Privacy Shield agreement. While progress has been made to improve on the Safe Harbour agreement, Privacy Shield in its current form does not provide the adequate level of protection required by EU data protection law and the EU Charter. It is therefore up to the US authorities to effectively follow the terms of the agreement and for the Commission to take measures to ensure that it will fully comply with the GDPR.”
MEPs were also worried about the recent adoption by the US of the CLOUD (Clarifying Lawful Overseas Use of Data) Act, which grants US and foreign police services access to personal data across borders. They point out that this new US law could run into direct conflict with EU data protection laws and bring serious implications for EU citizens.
© Philip Hunt, 2018.
Privacy Shield is an agreement between the US and the EU that allows US companies considered to hold secure data-protection facilities to transfer personal data from the EU to the US. Previously such data exchange was handled under the 2000 Safe Harbour framework, which was invalidated by an EU Court of Justice ruling from October 2015 because it did not meet EU requirements on citizens’ personal data. Privacy Shield, not yet two years old, was adopted in July 2016.
* LIBE committee resolution on the adequacy of Privacy Shield: <http://www.europarl.europa.eu/meetdocs/2014_2019/plmrep/COMMITTEES/LIBE/RE/2018/06-11/1149002EN.pdf>
* EU Commission report on the first annual review of Privacy Shield: <https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52017DC0611>
* EP Press Release, April 2017: MEPs alarmed at undermining of privacy safeguards in the US <http://www.europarl.europa.eu/news/en/press-room/20170329IPR69067/data-privacy-shield-meps-alarmed-at-undermining-of-privacy-safeguards-in-the-us>
* EP research: From Safe Harbour to Privacy Shield (January 2017) <http://www.europarl.europa.eu/RegData/etudes/IDAN/2017/595892/EPRS_IDA%282017%29595892_EN.pdf>