Europeans Call to Suspend Privacy Shield, the Controversial Replacement of “Safe Harbour,” Until US Complies


The European MEPs are calling for the suspension of the EU-US Privacy Shield. The Privacy Shield is a data sharing pact designed by the US Department of Commerce, the European Commission and Swiss Administration to offer a mechanism to comply with data protection requirements when transferring data across the Atlantic.

The MEPs now believe that the Privacy Shield should be suspended if the US doesn't comply by  September 1. MEPs voted 303 to 223 in favour of a resolution that criticizes the US for not complying with the protection requirements, arguing that the Privacy Shield doesn't offer adequate protections demanded by the pro-privacy EU laws.

“America First Must Not Mean America Only” – EU on Its Data Sharing Pact with the US

Resolution mentions Facebook's data scandal and calls for suspension of Privacy Shield until US starts complying

Privacy Shield is used by over 3,000 companies to move personal data of Americans and Europeans across the ocean. Some of the biggest tech firms, including Facebook, Microsoft and Google, use these rules to comply with local laws while moving personal data around. However, with the stricter GDPR rules in effect now and following the revelation that data of at least 2.7 million EU users was accessed by Cambridge Analytica without their consent, the MEPs are calling for some reforms.

The resolution calls on the "US authorities responsible for enforcing the Privacy Shield" to make sure companies like Facebook - being termed as a "de-facto monopoly platform" - are in compliance or else removed from the Privacy Shield list, and their data transfers prohibited under the Privacy Shield.

The resolution also demands that the European Parliament (emphasis is ours):

Calls on the Commission to take all the necessary measures to ensure that the Privacy Shield will fully comply with Regulation (EU) 2016/679, to be applied as from 25 May 2018, and with the EU Charter, so that adequacy should not lead to loopholes or competitive advantage for US companies;

Takes the view that the current Privacy Shield arrangement does not provide the adequate level of protection required by Union data protection law and the EU Charter as interpreted by the European Court of Justice;

Considers that, unless the US is fully compliant by 1 September 2018, the Commission has failed to act in accordance with Article 45(5) GDPR; calls therefore on the Commission to suspend the Privacy Shield until the US authorities comply with its terms;

Recalls that privacy and data protection are legally enforceable fundamental rights enshrined in the Treaties, the Charter of Fundamental Rights and the European Convention of Human Rights, as well as in laws and case law; emphasises that they must be applied in a manner that does not unnecessarily hamper trade or international relations, but cannot be ‘balanced’ against commercial or political interests;

This isn't the first time that Europeans have expressed their concerns over how the Privacy Shield is being misused by the US. The transatlantic data sharing agreement has also drawn criticism from privacy advocates for enabling excessive access by the governments. Only a few months ago, when the Privacy Shield was going through its first ever review, EU Justice Commissioner, Vera Jourova had said that the Europeans want to make sure "that 'America First' does not mean 'America Only'."

“We Europeans insist on having our data protected,” Jourova had said at the time. "And we have to make sure that it is understood that the Privacy Shield is intended to protect privacy, security and also to uphold the interests of the businesses – not just American businesses, but also EU businesses."