Data Risk Intelligence
Automated Data Mapping
Do Not Sell/Do Not Share
Cookie Banner Solutions
Consent & Preferences
Data Rights RequestsEuropean Parliament Calls for Suspension of Privacy Shield in September
The Members of the European Parliament adopted a resolution calling for the suspension of the EU-US Privacy Shield if the United States is not in full compliance with its terms by September 1st. The Privacy Shield is an agreement between the United States and the European Union to provide companies with a mechanism to comply with data protection requirements when transferring personal data between the two countries in transatlantic commerce.
The European Parliament does not have the authority to suspend the Privacy Shield on its own. The two parties that can suspend the Privacy Shield are the European Commission and the Court of Justice of the European Union (CJEU). The Commission is nevertheless required to respond to the European Parliament within three months. The vote does express a certain level of frustration with data privacy protections in the United States by European leaders and could put a certain amount of political pressure on the European Commission.
The second annual review for the EU-U.S. Privacy Shield is coming up in October. The European Commission does an annual review of the functioning of the Privacy Shield to evaluate the adequacy of the data protections it offers to EU citizens. In its first review, the EU found that U.S. authorities had put in place the necessary structures and procedures to ensure the correct functioning of the Privacy Shield. However, it suggested a few improvements in order to ensure that the guarantees functioned as intended. Given the MEPs declaration that the EU should suspend the Privacy Shield, the second annual review could be a tough test for the EU-US privacy agreement on the transfer of personal information. If the EC finds that the Privacy Shield offers an adequate level of protections, than it would likely survive for another year unless the CJEU takes action.
Here is a link to the European Parliament resolution. The resolution identifies a number of concerns with the Privacy Shield and its enforcement that the MEPs wish to have addressed.
This may only be the first of several challenges to the Privacy Shield. It is expected to face another test in the CJEU in the next year or so in a case between Max Schrems and Facebook. In the first case between Schrems and Facebook, which was decided on October 6, 2015, the CJEU invalided the Safe Harbor governing data transfers between the EU and the US, the predecessor to the Privacy Shield. Given several high profile mishaps in data privacy by U.S. companies and decisions by the United States to weaken privacy protections, it is possible that the CJEU may invalidate the adequacy of the protections offered by the Privacy Shield when it considers Schrems II. Ireland’s High Court referred the key legal questions on data transfer mechanisms to the CJEU, including the lawfulness of the Standard Contracutal Clauses and the EU-US Privacy Shield.
In other Privacy Shield news:
The Federal Trade Commission released a blog post earlier this week reiterating its commitment to enforcing the Privacy Shield. The FTC reminded companies that while participation is voluntary, representations about Privacy Shield compliance must be true as it discussed a proposed settlement with ReadyTech Corporation, a California-based employee training company.
ReadyTech said in its privacy policy that it was in the process of certifying compliance with the Privacy Shield. However, it did not follow through with the necessary steps after it began the application process in October 2016. The FTC alleged that its statement was false or misleading as a result. In the settlement, ReadyTech agreed not to misreprent its participation in or compliance with any privacy or security program sponsored by a government, a self-regulatory group or a standard-setting organization.
The FTC warned companies that deceptive claims about Privacy Shield participation are actionable under section 5 of the FTC Act. If a company hasn’t finished the certification process or its certification has lapsed, companies claiming that they participate in the Privacy Shield must either complete the process or remove the false statement.
More on Privacy Shield:
EC Report for Second Annual Privacy Shield Review Finds Adequate Protection of Privacy
EU and US Meet for Second Annual Privacy Shield Review
US Affirms Full Compliance with Privacy Shield Obligations
EU considering deadline for Privacy Shield compliance by United States
Contact Clarip for Help with Your Privacy Program
The Clarip data privacy software and team are available to help improve privacy practices at your organization. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If you are working towards GDPR compliance, we can help through our modular GDPR software. Whether you are starting the process with GDPR data mapping software, need privacy impact assessment software, or looking to meet ePrivacy requirements with cookie consent manager, Clarip can help strengthen your privacy program.
If CCPA compliance in 2020 is on your radar, ask us about our California Consumer Privacy Act software. Improve efficiency of responses to data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with our consent software.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.
