Will a large part of transatlantic data flows between the EU (and possibly Switzerland) and the US soon (again) be illegal?
The EU Parliament has called on the EU Commission to suspend the EU-US Privacy Shield if the US does not fully comply with its obligations by September 1, 2018. The EU Commission is not bound by Parliament’s request.
The topic was initiated by the LIBE Committee of the EU Parliament (Committee on Civil Liberties, Justice and Home Affairs). Against the background of the Facebook Cambridge Analytica data breaches, the LIBE questioned the effectiveness of the Privacy Shield, especially as both companies involved were certified according to the Privacy Shield. The EU Parliament was particularly concerned that the US authorities had remained inactive after the revelations and that the companies were not removed from the Privacy Shield list. The EU Parliament also expressed concern about the new US CLOUD Act (Clarifying Lawful Overseas Use of Data Act) and the extensive international access rights to personal data provided for by US authorities.
Should the EU-US Privacy Shield be suspended, its Swiss counterpart (Swiss-US Privacy Shield) is likely to follow soon. This was already the case with its predecessor in October 2015, when the EU-US Safe Harbor Agreement was declared invalid. Companies that share personal data across the Atlantic, e.g. as part of an outsourcing to a US service provider or within the group to a US affiliate, must then implement other protective measures in order to legally facilitate the transfer to the “unsafe” third country USA, such as data transfer agreements or binding corporate rules.