A vote in the EU Parliament has put a data sharing agreement between the European Union and the United States, the EU-US Privacy Shield, in jeopardy.
The Privacy Shield is an adequacy agreement that came into force in July 2016 and defines how EU citizens’ personal data should be protected when transferred between the EU and the US.
It’s a replacement for Safe Harbour, which was the old data sharing agreement between the EU and the US that was declared invalid by a Court of Justice ruling in 2015.
It protects EU citizens’ data by setting “robust obligations” on US corporations, placing limitations on public authorities and creating means of redress for citizens concerned their data may have been misused under the agreement.
It also affords legal clarity on a number of issues e.g. corporations handling HR data on EU citizens in the US must comply with decisions made by European Data Protection Authorities.
In an opinion published in 2017, the Article 29 Working Party (which was replaced by the European Data Protection Board post-GDPR), outlined a number of concerns about the data sharing agreement, including:
- The collection and access of personal data for national security purposes;
- Any available right of recourse and remedies for data subjects; and
- The lack of an independent Ombudsperson.
The motion for a resolution, passed today in the European Parliament by 303 votes to 223 (29 abstentions), expanded on the concerns cited in the opinion paper published by the Article 29 Working Party.
In approving the motion, the European Parliament has given the United States and the EU Commission till the 1st September to pull its data protection practices into compliance with the provisions set down in the EU’s data protection laws.
If practices are not brought into compliance by 1st September, the agreement will be suspended.
In its announcement on the vote, the European Parliament highlighted the recent misuse of data between Cambridge Analytica and Facebook as a sign that there needs to be “better monitoring of the agreement.”
It also stated that Clarifying Lawful Overseas Use of Data Act, a new US law that “grants the US and foreign police access to personal data across borders”, could have “serious implications” for the EU and conflict with EU data protection laws.
The motion for a resolution passed earlier today was initially tabled by the EU’s Committee on Civil Liberties, Justice and Home Affairs (LIBE).
It mentions the Facebook and Cambridge Analytica incident and points to the “improper use” of 2.7 million EU citizens’ personal data.
Moreover, it also points to a recent change in Facebook’s terms of service that led to 1.5 billion non-EU users now falling under the remit of Facebook US, rather than Facebook Ireland.
The switch ensures that non-EU citizens who previously agreed to the terms of services of Facebook Ireland will no longer enjoy the benefits of the EU’s new data protection laws (as they now fall under the remit of Facebook US).
As per the Article 29 Working Party’s opinion paper, it calls for more clarification on the role of the independent Ombudsperson. It also highlights its lack of authority, particularly in relation to ordering public authorities to limit surveillance activities or destroy information.