Homeland Insecurity: Citing Insufficient Safeguards, the EU Moves to Suspend the Privacy Shield Protocol

privacy shieldThe European Parliament adopted a resolution earlier this month to suspend the EU-U.S. Privacy Shield agreement. The Privacy Shield is a protocol that provides for the exchange of personal data between the EU and the United States for commercial purposes. Adopted in 2016 after the European Court of Justice invalidated the Safe Harbor arrangement, the shield is intended to safeguard the “fundamental privacy rights” of European citizens with respect to data transfers between signatory countries.

The EU Parliament’s non-binding resolution calls for suspending the agreement unless the United States can demonstrate that it complies with the agreement’s terms by September 1, 2018, and can provide an adequate level of protection for personal data as required by EU law. The resolution comes on the heels of a number of high-profile data leaks by U.S. entities, leaving EU Parliament increasingly concerned that personal information and other data belonging to EU citizens is not being sufficiently protected when it is transferred to the United States.

The Parliamentary resolution cites several concerns as justification for suspension of the agreement. These concerns are especially focused on the potential risk that EU residents’ personal data could be targeted by U.S. national security agencies and law enforcement under the recently enacted Clarifying Overseas Use of Data Act (CLOUD Act), which expressly authorizes such agencies to access personal data stored abroad. Those Parliament members who voted in support of the suspension also say that they fear that U.S. companies have been slow to address instances of data theft and misuse. This concern has been further amplified by the fact that the United States also has been slow in appointing the permanent ombudsperson required as part of the U.S. scheme to oversee and address the Privacy Shield’s protections and to investigate reports of data misuse. Members expressed fears that the upcoming U.S. elections may provide more opportunities for social engineering and other attacks that threaten the fundamental right to data protection provided for EU citizens, and further erode consumer trust.

The European Parliament’s resolution is non-binding, and the European Commission may choose to ignore it. Some EU lawmakers have argued that a resolution calling for suspension may be premature, and only will serve to engender uncertainty and increase business costs, especially for smaller companies. More likely, however, the European Commission will look for ways to improve the Privacy Shield in cooperation with U.S. lawmakers and in response to the pressure generated by the Shield’s critics to renegotiate the agreement.