In July, the European Parliament called for the suspension of the EU’s data sharing agreement with the US known as the Privacy Shield. While the September 1 deadline recommended by the Parliament is likely to pass without any major disruptions to the deal, it does reflect a broad sense of dissatisfaction in Brussels over the way the US government has implemented the agreement, which underpins transatlantic economic activity worth more than $500 billion each year.
In the digital age, data has become as indispensable as the steam engine was for the industrial revolution. It powers businesses, directs innovation, and facilitates the provision of a whole host of new or improved goods and services. This means any disruption to its flow could have a noticeable impact on both businesses and consumers.
Therefore, the EU faced both an economic and legal conundrum when its original data-sharing arrangement, the Safe Harbour Agreement, was invalidated by the European Court of Justice in 2015. In a rush to fill this void, the EU and US came up with the Privacy Shield in 2016.
This replacement agreement was designed to address three main points. First, it placed strong data protection obligations on companies collecting personal data in the EU. Second, it introduced safeguards on US government access to this data. Third, EU citizens were provided with the means for redress if their data is misused.
Companies that wish to transfer data outside of the US must certify that their privacy policies are in line with EU principles and their membership to the Privacy Shield must be renewed annually. Currently, more than 3,500 US businesses have self-certified including Twitter, Facebook, Google, and Amazon. However, it’s not just big tech firms that rely on the Privacy Shield. For instance, consulting firms, healthcare companies, and translation services can be found on the Privacy Shield’s membership list.
What exactly are the European Parliament’s concerns? The Parliament believes the US has done an inadequate job ensuring companies’ compliance with the Privacy Shield and removing those that fail to meet its requirements. This criticism follows the recent data scandals involving Facebook and Cambridge Analytica, two companies who were part of the Privacy Shield. The US has also failed to adopt a policy directive that would require surveillance activities safeguard personal information. As well, the European Parliament has raised the possibility that the Clarifying Lawful Overseas Use of Data Act could undermine EU data protection laws.
Although the European Parliament’s statement has rattled businesses, it is the European Commission that has the ultimate power to suspend the deal. Last month, the EU Commissioner for Justice, Consumers and Gender Equality, Věra Jourová, sent a letter to the US Commerce Secretary, Wilbur Ross, reminding him of the US obligation to appoint senior personnel to implement key aspects of the Privacy Shield including its redress clauses.
Despite this complaint, the European Commission is unlikely to act on the European Parliament’s recommendation and suspend the Privacy Shield on September 1. However, it’s worth noting that the Commission’s second annual review of the agreement is slated for October. While the Commission has stated its desire to work with the US to fulfill the implementation of the Privacy Shield, the US administration’s hostility to EU data protection laws and recent data-related scandals are likely to put pressure on the Commission to take a harder line. If the deal is revoked, it could leave businesses scrambling and temporarily disrupt EU citizens’ ability to access certain services or online platforms that involve the transfer of personal data.