EU Commission urged to suspend the EU-US Privacy Shield

EU Commission urged to suspend the EU-US Privacy Shield

The European Parliament recently published a resolution regarding the use of Facebook users’ personal data by Cambridge Analytica, in which they urged the EU Commission to suspend the EU-US Privacy Shield scheme, until full compliance with the framework is achieved.

EU-US Privacy Shield – the latest

The recent Facebook/Cambridge Analytica scandal has led to discussion by data protection authorities and governments regarding the way in which Facebook allowed the personal data of their users to be accessed by a third party application. This access resulted in the personal data being used for the purposes of electoral campaigning in the USA.

The European Parliament recently published a resolution on this matter. Although such resolutions are not binding, they do provide an indication of the current political view in Europe.

EU-US Privacy Shield became effective in August 2016 and it was intended that the framework would protect the rights of individuals based in the EU, whose personal data is transferred to the US for commercial purposes. The expectation is that only US companies having an ‘adequate’ level of data protection would be granted EU-US Privacy Shield registration.

There have, however, been rumblings of discontent about the effectiveness of EU-US Privacy Shield. Questions have been raised as to whether Privacy Shield-registered companies (currently almost 4,000 of them) are complying with the requirements and whether the US authorities have sufficient processes in place to monitor and enforce Privacy Shield compliance. The resolution from the European Parliament echoes such concerns. They have expressed the view that, as the deadline (of 1 September 2018) for the US to become fully compliant with the Privacy Shield was not met; the European Commission has failed to act in accordance with its obligations under Article 45 of the GDPR (regarding transfers on the basis of an adequacy decision). The European Parliament has consequently urged the Commission to suspend the Privacy Shield until the US authorities comply with its terms.

Looking ahead

For businesses that are currently taking advantage of the framework of the EU-US Privacy Shield when transferring personal data of individuals from the EU to the US, this is certainly something to keep an eye on. The impact of the EU-US Privacy Shield being suspended could affect whole areas of the tech industry and mean that those companies will have to ensure they still comply with the GDPR, without the facilitation that the Privacy Shield framework currently provides.

Whether the Commission will follow the recommendations of the European Parliament is yet to be seen. The second annual EU-US Privacy Shield framework review is currently being undertaken and the Commission intends to publish a report on its findings on the functioning of this, which will hopefully provide some clarity. In the meantime, companies who contract with service providers based in the US and who rely on EU-US Privacy Shield should monitor this. Some may wish to put in place contingency arrangements for key contracts, including for example by entering into the Model Clauses ─ standard contractual clauses approved by the European Commission for the transfer of personal data to processors established in third countries).

We will provide further updates on this topic when more information is available. For more information on this topic please contact Freya Lemon in our Commercial team.

EVENTS
Technology and Innovation
Lessons from Leading Women Tech Entrepreneurs

Michelmores has partnered with Women in Telecoms & Technology (WiTT) to celebrate women entrepreneurs working in the tech sector. Delegates will have the opportunity to...

EVENTS
Tech Transactions Masterclass: navigating the impact of new digital regulation on contracting and the supply chain
Tech Transactions Masterclass: navigating the impact of new digital regulation on contracting and the supply chain

Hosted and sponsored by Michelmores and organised by the SCL Tech Transactions Group. Join SCL’s Technology Transactions Group on 28 November 2024 for a half day event focusing on how...

EVENTS
mainstream
MAINstream Pitch Event

Applications for this pitch event close on 14 November. If you are interested in joining the network and attending our events please email mainstream@michelmores.com for further details....