The clock is ticking on Privacy Shield, senior MEPs rule
The Privacy Shield agreement, which was only passed in June 2016 in an 11th-hour compromise to replace the illegal Safe Harbour transatlantic data deal, fails to properly protect EU consumers and must be suspended unless the US complies with its terms.
That is the verdict of MEPs on the Committee on Civil Liberties, Justice & Home Affairs (LIBE), who have warned that the US has still not addressed the original concerns about the deal or GDPR.
Privacy Shield was launched after a legal challenge by privacy activist and Austrian lawyer Max Schrems ruled that Safe Harbour was illegal. The pact underwent its first annual review last September, when the European Commission deemed it adequate, despite raising a number of concerns.
These included the lack of a permanent ombudsman, the impact of US President Donald Trump's executive orders on immigration, and attitudes towards security and privacy.
In a vote this week, the Committee adopted a motion for a resolution that calls on the Commission to suspend the deal unless the US is compliant by September 1.
LIBE chair Claude Moraes, who has been MEP for London since 1999, said: "While progress has been made to improve on the Safe Harbour agreement, the Privacy Shield in its current form does not provide the adequate level of protection required by EU data protection law and the EU Charter.
"It is therefore up to the US authorities to effectively follow the terms of the agreement and for the Commission to take measures to ensure that it will fully comply with GDPR."
The Committee also pointed out that both Facebook and the now defunct Cambridge Analytica – the firms at the centre of the recent data scandal – are both certified under the Privacy Shield.
It called on US authorities to act on these revelations "without delay", and "if needed, to remove such companies from the Privacy Shield list"; their EU counterparts should also investigate and, where appropriate, suspend or prohibit data transfers under the deal.
Similarly, the US Department of Commerce should carry out more proactive and regular compliance checks, to ensure that companies which are allowed to self-certify are falling in line with Privacy Shield.
The motion is expected to be put to a vote in the full House in July.