The European Parliament recently published a resolution regarding the use of Facebook users’ personal data by Cambridge Analytica, in which they urged the EU Commission to suspend the EU-US Privacy Shield scheme, until full compliance with the framework is achieved.
The recent Facebook/Cambridge Analytica scandal has led to discussion by data protection authorities and governments regarding the way in which Facebook allowed the personal data of their users to be accessed by a third party application. This access resulted in the personal data being used for the purposes of electoral campaigning in the USA.
The European Parliament recently published a resolution on this matter. Although such resolutions are not binding, they do provide an indication of the current political view in Europe.
EU-US Privacy Shield became effective in August 2016 and it was intended that the framework would protect the rights of individuals based in the EU, whose personal data is transferred to the US for commercial purposes. The expectation is that only US companies having an ‘adequate’ level of data protection would be granted EU-US Privacy Shield registration.
There have, however, been rumblings of discontent about the effectiveness of EU-US Privacy Shield. Questions have been raised as to whether Privacy Shield-registered companies (currently almost 4,000 of them) are complying with the requirements and whether the US authorities have sufficient processes in place to monitor and enforce Privacy Shield compliance. The resolution from the European Parliament echoes such concerns. They have expressed the view that, as the deadline (of 1 September 2018) for the US to become fully compliant with the Privacy Shield was not met; the European Commission has failed to act in accordance with its obligations under Article 45 of the GDPR (regarding transfers on the basis of an adequacy decision). The European Parliament has consequently urged the Commission to suspend the Privacy Shield until the US authorities comply with its terms.
For businesses that are currently taking advantage of the framework of the EU-US Privacy Shield when transferring personal data of individuals from the EU to the US, this is certainly something to keep an eye on. The impact of the EU-US Privacy Shield being suspended could affect whole areas of the tech industry and mean that those companies will have to ensure they still comply with the GDPR, without the facilitation that the Privacy Shield framework currently provides.
Whether the Commission will follow the recommendations of the European Parliament is yet to be seen. The second annual EU-US Privacy Shield framework review is currently being undertaken and the Commission intends to publish a report on its findings on the functioning of this, which will hopefully provide some clarity. In the meantime, companies who contract with service providers based in the US and who rely on EU-US Privacy Shield should monitor this. Some may wish to put in place contingency arrangements for key contracts, including for example by entering into the Model Clauses ─ standard contractual clauses approved by the European Commission for the transfer of personal data to processors established in third countries).
We will provide further updates on this topic when more information is available. For more information on this topic please contact Freya Lemon in our Commercial team.