MEPs call for suspension of Privacy Shield unless US monitoring complies with GDPR

Monitoring compliance - Image credit: mixmagic/Adobe stock

Members of the European Parliament’s Civil Liberties Committee have called on legislators to suspend the Privacy Shield agreement that governs US firms’ handling of EU citizens’ data.

MEPs on the committee have passed a resolution calling for the suspension of the agreement from 1 September if the US fails to comply with its terms, including coming into line with GDPR.

Privacy Shield came into force in July 2016, and required the US to commit to not engage in “indiscriminate mass surveillance” of European data. 

It replaced the Safe Harbor agreement, which was in effect for 15 years, but was invalidated by the European Court of Justice in 2015.

This followed a series of complaints and legal challenges from Austrian citizen Max Schrems, who argued that the agreement did not sufficiently safeguard the privacy of EU citizens.

His campaign centred on his belief that the way in which Facebook processed European data infringed on privacy rights.

Under Privacy Shield, all US firms processing EU citizens’ data are required to self-certify that they will adhere to all relevant regulations, with failure to comply being punishable under US law.

The agreement also requires firms to respond to complaints from citizens who believe their data has been misused.

Privacy Shield is subject to annual review by authorities on both sides of the Atlantic. 

But MEPs have claimed that the recent revelations about Facebook and Cambridge Analytica “emphasise the need for better monitoring of the agreement, given that both companies are certified under the Privacy Shield”.

“MEPs call on the US authorities to act upon such revelations without delay and, if needed, to remove companies that have misused personal data from the Privacy Shield list,” the committee added.

“EU authorities should also investigate such cases and, if appropriate, suspend or ban data transfers under the Privacy Shield.”

The committee also expressed concerns about the Clarifying Lawful Overseas Use of Data Act, a new piece of US legislation that MEPs claim “grants the US and foreign police access to personal data across borders”.

This law “could have serious implications for the EU and it could conflict [with] EU data protection laws”, the committee added.

Committee chair Claude Moraes said: "The committee today adopted a clear position on the EU US Privacy Shield agreement.

“While progress has been made to improve on the Safe Harbor agreement, the Privacy Shield in its current form does not provide the adequate level of protection required by EU data protection law and the EU Charter.

“It is therefore up to the US authorities to effectively follow the terms of the agreement and for the commission to take measures to ensure that it will fully comply with the GDPR.”