You are here:
22 August 2018 / article

EU-US Privacy Shield on the chopping block?

The EU – US Privacy Shield was adopted in July 2016 as a replacement of the Safe Harbor regime, which was struck down by the EU Court of Justice (CJEU). Both regimes secured the transfer of personal data between the EU and the US. In order to receive personal data from the EU for commercial purposes, and in the absence of another legal ground for such data transfer, US companies have to self-certify with the US Department of Commerce and publicly engage themselves to respect the Privacy Shield’s requirements.

Man pressing a privacy shield

EU – US Privacy Shield suspension demanded if US does not comply by 1 September 2018

On 5 July 2018, the European Parliament issued a Resolution stating that the Members of the European Parliament (MEPs) request the European Commission to suspend the EU – US Privacy Shield, as it does not effectively procure adequate personal data protection for EU citizens.

According to the MEPs, this suspension should be ordered by the European Commission unless the US abides by the EU standards for personal data protection by 1 September 2018, and until the US complies entirely with such standards.

Aftermath of the Facebook / Cambridge Analytica data breach

In reaction to the Cambridge Analytica scandal, the MEPs called for stronger supervision of the Privacy Shield. They now demand the US authorities to react accordingly, including by removing the companies that failed to comply from the Privacy Shield certification list.

In addition, also the EU data protection authorities should use their examination and sanctioning powers, and should consequently interrupt or ban certain data transfers currently taking place under the umbrella of the Privacy Shield. Self-certification should not lead to loopholes or competitive advantages for US companies.

A probability more than a possibility?

One could assume, given the recent changes in the US legislation, that it will be difficult to comply with the requirements set forth by the European Parliament on such short notice. Indeed, the US Congress recently enacted the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), granting US and foreign police access to personal data across borders. The adoption of the CLOUD Act could therefore even increase the tensions and the conflict with the EU data protection standards enshrined in the GDPR.

On the other side of the spectrum, the recent adoption of the California Consumer Privacy Act indicates a clear willingness at the level of individual State governments to protect individual privacy, with some measures that even go beyond the European GDPR standards.

Only time will tell whether and how the EU and US government will be able to make the EU – US Privacy Shield a reliable and robust framework for international data transfers.

In the meanwhile, not the European Parliament, but only the European Commission has the power to suspend or revise the Privacy Shield framework, notwithstanding the power of the EU Court of Justice to invalidate the European Commission’s decisions. And while the Resolution of the European Parliament is not binding on the European Commission (or on the CJEU), it is definitely a strong political signal. With, on top of this, a case for the invalidation of the Privacy Shield (initiated by Max Schrems) currently pending before the CJEU, the future of the Privacy Shield does not look very bright …

More information on the Privacy Shield can be found here and in our previous newsflash concerning cross-border data transfers. More background information can be found in the Press Release on the European Parliament’s Resolution.



New address for Loyens & Loeff Belgium

New address for Loyens & Loeff Belgium

We are pleased to announce that Loyens & Loeff Belgium has a new address as from 17 June 2019. read more
A legal framework for pop-up stores in the Brussels-Capital Region

A legal framework for pop-up stores in the Brussels-Capital Region

Since 19 May 2019, the Brussels Capital Region has a legal basis for short-term commercial leases. read more
First Belgian GDPR fine

First Belgian GDPR fine

On 28 May 2019, the Belgian Data Protection Authority imposed its first GDPR fine for misusing personal data for electoral campaign purposes. read more
Stay informed

Don't miss out. Stay up to date about our latest news and events.

Subscribe