In its recommendation to the EU Commission, the Parliament pointed out that the US administration has failed to implement two core elements of the Privacy Shield. For example, there is still no ombudsman who leads the U.S. Privacy Civil Liberties Oversight Board (PCLOB), let alone any other members in this board. Thus, EU citizens lack a contact person in the event of data breaches and thus the ability to make their own rights in the US heard at all.
Privacy Shield replaces Safe Harbor
As a reminder, Privacy Shield was introduced as a replacement for the Safe Harbor Agreement. Safe Harbor fell because the European Court of Justice granted the claim of the Austrian lawyer Maximilian Schrems in 2015. The Safe Harbor rules should create a ‘safe data port’ for sensitive data outside the EU, so that this data can be processed for example in the US. Triggered by the Snowden publications (notably PRISM), this agreement was reviewed and finally replaced by Privacy Shield.
EU Parliament confirms assessment: Sensitive data is not safe at US companies
As explained in my last blog post, sensitive but also security-relevant data of a company should not leave Europe. Parliament’s assessment reinforces the urgency of data protection. Security-related data such as intellectual property or administrative access such as domain passwords should not be given to cloud providers in the US. The Cloud Act and Privacy Shield are incompatible.