The EU-US Privacy Shield may soon be a thing of the past after the European Parliament passed a resolution on July 5th, calling on the European Commission to suspend the agreement unless the U.S. takes further action by September 1st of this year to become compliant with the Privacy Shield requirements.
The data transfer agreement bridges the gap between EU and US data protection law and enables over 3,300 companies to transfer the personal data of EU citizens to the US for processing without breaching fundamental European privacy rights, allowing organizations to self-certify their compliance in order to receive and process data from the EU. This agreement replaced the Safe Harbor arrangement, which was invalidated in the wake of the Edward Snowden revelations.
The European Parliament cited several areas in which the U.S. has not addressed prior EU concerns and concluded, “the current Privacy Shield arrangement does not provide the adequate level of protection required by Union data protection law and the EU Charter as interpreted by the European Court of Justice.”
While the parliamentary vote is not a binding measure, it is a further warning sign that the Privacy Shield will not be renewed at the next renewal vote in October. Note that the European Court of Justice currently has the opportunity to strike down Privacy Shield in the Schrems II case.
Companies currently certifying under the Privacy Shield should consider alternative measures to support data transfers. Under GDPR, transfers must be able to demonstrate appropriate safeguards (security measures) in the absence of a framework such as Privacy Shield. In addition, the use of standard contractual clauses (also subject to European Court of Justice review) or approved codes of conduct is suggested.