Is this the end of US Privacy Shield?

EU-US Privacy Shield

Share This Post

Last week the European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE) called on the EU Commission to suspend the EU-US Privacy Shield agreement, saying Privacy Shield doesn’t provide enough protection for EU citizens’ data.

What’s Privacy Shield?

Privacy Shield was adopted in 2016, replacing the previous agreement (Safe Harbor) which had been determined in 2015, to be inadequate in meeting EU standards of data protection.

In essence the Privacy Shield provides the grounds by which US businesses can demonstrate they meet the requirements of EU standards of data protection compliance. The GDPR, as with previous incarnations of EU data protection legislation, requires that any international transfers of personal data should only be done in countries where there are adequate data protection regimes in place.

There is a small list of countries deemed to have adequate data protection laws but the US isn’t one of them, so the Privacy Shield is a separate agreement between the US government and the EU to allow US businesses to sign up to the agreement and in turn sign up to the principles of EU data protection legislation.

The problem

However, the LIBE committee are suggesting, there are concerns about the efficacy of the agreement, it seems, based on two particular issues:

  1. The Facebook and Cambridge Analytica scandal, where both companies are signatories
  2. A possible conflict with a new US law, Clarifying Lawful Overseas Use of Data Act (CLOUD Act) that grants the US and foreign police access to personal data across borders and may be in conflict with EU data protection standards

It appears that the real issue is that there is no clear ombudsman in the US to monitor signatories to Privacy Shield and therefore general compliance, particularly with the GDPR.

The final draft of the resolution will be voted on in July, but the Civil Liberties Committee Chair and rapporteur Claude Moraes (S&D, UK) said: “The LIBE committee today adopted a clear position on the EU US Privacy Shield agreement. While progress has been made to improve on the Safe Harbor agreement, the Privacy Shield in its current form does not provide the adequate level of protection required by EU data protection law and the EU Charter. It is therefore up to the US authorities to effectively follow the terms of the agreement and for the Commission to take measures to ensure that it will fully comply with the GDPR.”

The US are likely to have until September to demonstrate their commitment (and enforcement) of the agreement otherwise the agreement may be withdrawn.

What withdrawal of Privacy Shield could mean for UK businesses

Probably one of the main issues for UK businesses will be all the third-party services being used (mainly cloud-based) that are US based (MailChimp, Microsoft, Google, etc.) who are all signed up to the Privacy Shield. If the agreement is withdrawn by the EU then potentially anyone using these US services is unlikely to be able to demonstrate GDPR compliance and due diligence against their third-party processors. This will mean that business will need to look at alternative, probably contractual, relationships with these providers or look for EU based providers instead.

That said, with Brexit round the corner, this could all be a moot point depending on what happens with the position on data protection and the UK and whether we will need a separate agreement with the US, or possibly even with the EU if they don’t believe the UK has adequate protections in place (because of other UK laws).

More To Explore

Eat. Sleep. GDPR. Repeat.

We live and breathe GDPR and ePrivacy compliance, so you don’t have too. Our GDPR UNLIMITED helpline is all about offering you help and support, whenever you need it most. As well as the unlimited helpline, you get up to 4 hours “hands-on” help each month, which we can configure to help you in anyway you need such as a GDPR review, or acting as your DPO.

As well as the unlimited helpline and hands-on help you get GDPR and privacy updates, access to our GDPR knowledge centre and webinars.

Unlimited email & phone support

Unlimited email and phone support. Email or organise a voice call as often as you need each month.​

Up to 4 hours "hands-on" help per month

We use these "hands-on" hours to do the GDPR work for you, such as reviews, acting as your DPO, checking DPIA, dealing with breaches, training your staff, etc. (Additional hours: £100+VAT per hour)

Online resources

Our Knowledge Centre gives you access to information, guidance, topic related guides and other tools to support your GDPR and PECR compliance

Updates, alerts & briefings

We provide updates and alerts and a monthly compliance briefing. You can either sign into the Knowledge Centre or sign up via email to receive an email every time we add a new update or alert

DPO services

Whether mandated or not we can act as your Data Protection Officer (DPO) and manage your day to day compliance

Webinars, workshops & training

Whether updates on the latest issue, workshops or team training, it's all included in your monthly retainer.

LIKE WHAT YOU'RE READING? join our email list

Sign up for monthly briefings and the occasional emails about our webinars and services

Want to know more about how we use your data? Check out our privacy policy