Privacy & Information Security Law Blog

On July 5, 2018, the European Parliament issued a nonbinding resolution (“the Resolution”) that calls on the European Commission to suspend the EU-U.S. Privacy Shield unless U.S. authorities can “fully comply” with the framework by September 1, 2018. The Resolution states that the data transfer mechanism does not provide the adequate level of protection for personal data as required by EU data protection law. The Resolution takes particular aim at potential access to EU residents’ personal data by U.S. national security agencies and law enforcement, citing the passage of the CLOUD Act as having “serious implications for the EU, as it is far-reaching and creates a potential conflict with the EU data protection laws.”

The Resolution also cites recent revelations surrounding Facebook and Cambridge Analytica, both Privacy Shield-certified companies, as “highlight[ing] the need for proactive oversight and enforcement actions,” including “systematic checks of the practical compliance of privacy policies with the Privacy Shield principles,” and calls on EU data protection authorities to suspend data transfers for non-compliant companies.

The Resolution comes on the heels of the FTC’s recent settlement with California company ReadyTech for alleged misrepresentations in its privacy policy about the status of the company’s Privacy Shield certification. The Resolution is nonbinding, and the European Commission, through its spokesperson, reportedly has stated that a suspension of the framework is not warranted at this time.