“No effective control over whether certified companies actually comply with the Privacy Shield provisions.”
A resolution issued by the European Parliament in July, which calls on the European Commission to suspend the EU – US Privacy Shield data transfer agreement, is days away from its September 1 deadline.
The parliament says the deal – a replacement for the Safe Harbor regime, which was struck down by the EU Court of Justice (“CJEU”) in 2015 – does not procure adequate personal data protection for EU citizens.
As one passage of the resolution puts it: “A number of concerns remain regarding both the commercial aspects and the access by US public authorities to data transferred from the EU… [including] the lack of concrete assurances of not conducting mass and indiscriminate collection of personal data (bulk collection).”
See also: UPDATED: Irish High Court Warns of “Potentially Grave Prejudice” in Landmark Facebook Ruling
The parliamentarians further raised commercial concerns, saying they are concerned by the fact that the Department of Commerce “has not made use of the possibility provided in the Privacy Shield to request copies of the contractual terms used by certified companies in their contracts with third parties to ensure compliance”.
They added: “There is no effective control over whether certified companies actually comply with the Privacy Shield provisions.”
The 2015 judgement by the court was the culmination of a 2013 legal challenge by European privacy campaigner Max Schrems. His campaign continues
As law firm Loyens & Loeff puts it however: “Not the European Parliament, but only the European Commission has the power to suspend or revise the Privacy Shield framework, notwithstanding the power of the EU Court of Justice to invalidate the European Commission’s decisions.”
The European firm’s Florence D’Ath and Véronique Hoffeld added: “While the Resolution of the European Parliament is not binding on the European Commission (or on the CJEU), it is definitely a strong political signal. With, on top of this, a case for the invalidation of the Privacy Shield (initiated by Max Schrems) currently pending before the CJEU, the future of the Privacy Shield does not look very bright.”
Cancelling the Privacy Shield would affect somewhere in the region of 3,400 companies who have self-certified as compliant with its requirements. As solicitor Jocelyn Paulley puts it in a recent whitepaper: “They would have to either freeze data flows, or look to the alternative models to transfer data such as the EU Commission-approved model clauses or putting in place Binding Corporate Rules.”
The European Parliament’s deadline is likely to pass with more of a whimper than a bang, but the issue, meanwhile, is not going anywhere; certainly not while the Irish courtroom battle between privacy activist Max Schrems and Facebook continues.