The EU-US Privacy Shield may finally be in actual jeopardy. It was previously thought that given the high stakes, this data transfer accommodation implemented as a replacement for the judicially invalidated Safe Harbor program was too important an agreement to be withdrawn and that only another judicial ruling could render its death knell. That is no longer the case. A vote today by the European Parliament made sure of that.
As reported by the IAPP, on July 5, 2018 the European Parliament passed a non-binding resolution by a vote of 303 to 223 votes and 29 abstentions to have the European Commission suspend the EU-US Privacy Shield “unless the U.S. is fully compliant” by September 1, 2018. This is the second September review of the EU-US Privacy Shield.
Between the GDPR requirements left out of the EU-US Privacy Shield, the Cambridge Analytica fiasco that still dogs Facebook, the US’s adoption of the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) – a statute that expressly allows access to trans-border personal data, the US’s pulling out of the Iran deal despite strong pressure from the EU, and the current tariff barbs being sent across the Atlantic, the long-term health of EU-US Privacy Shield can no longer be considered a given. Companies who have been reliant on this data transfer accommodation should certainly consider alternatives as soon as possible.