The European Parliament has passed a non-binding resolution calling for the European Commission to suspend the EU-US Privacy Shield if the US does not comply with its requirements by 1 September 2018.
The European Parliament acted over concerns that the Privacy Shield hasn't been implemented as promised.
The Privacy Shield is a legal framework agreed between the EU and the US to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data to the US.
The Commission issued an adequacy decision in July 2016 declaring that the Privacy Shield provides an adequate level of data protection. The adequacy decision was followed by the first annual review of the Privacy Shield (completed in October 2017). The review found that the Privacy Shield worked well but that there was room for improving its implementation as its redress mechanisms had not been tested in practice.
The European Parliament considers that the Privacy Shield does not provide an adequate level of data protection under EU data protection law because (among other reasons):
Although the resolution is not binding and does not suspend the Privacy Shield, the Commission will be required to consider the official position of the European Parliament in the course of the second review of the Privacy Shield (scheduled for October 2018). If it finds that the Privacy Shield does not adequately protect EU citizens' personal data, it has the power to amend, suspend or cancel it.
If your organisation relies on data being able to flow freely between the EU and the US, you will need to monitor developments closely. Consider whether you can rely on other mechanisms apart from Privacy Shield to legitimise US transfers, such as model contract clauses or consent, notwithstanding the practical difficulties that such mechanisms may entail.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at July 2018. Specific advice should be sought for specific cases. For more information see our terms & conditions.
Following the ICO’s first fine under the GDPR in December since it came into effect, we revisit how the decision confirmed that the presence of a sub-contractor does not absolve a data controller of its responsibilities...