On July 5, 2018, the European Union Parliament advised the EU Commission to suspend the so-called EU-US Privacy Shield. This renews and hardens the EU Parliament’s position on Privacy Shield’s privacy policy for US companies, that process and store data of EU citizens. Already in October 2017, the European Parliament published a list of 10 recommendations, which pointed to gaps and weaknesses in the Privacy Shield.

In its recommendation to the EU Commission, the Parliament pointed out that the US administration has failed to implement two core elements of the Privacy Shield. For example, there is still no ombudsman who leads the U.S. Privacy Civil Liberties Oversight Board (PCLOB), let alone any other members in this board. Thus, EU citizens lack a contact person in the event of data breaches and thus the ability to make their own rights in the US heard at all.

Privacy Shield replaces Safe Harbor

As a reminder, Privacy Shield was introduced as a replacement for the Safe Harbor Agreement. Safe Harbor fell because the European Court of Justice granted the claim of the Austrian lawyer Maximilian Schrems in 2015. The Safe Harbor rules should create a ‘safe data port’ for sensitive data outside the EU, so that this data can be processed for example in the US. Triggered by the Snowden publications (notably PRISM), this agreement was reviewed and finally replaced by Privacy Shield.

EU Parliament confirms assessment: Sensitive data is not safe at US companies

As explained in my last blog post, sensitive but also security-relevant data of a company should not leave Europe. Parliament’s assessment reinforces the urgency of data protection. Security-related data such as intellectual property or administrative access such as domain passwords should not be given to cloud providers in the US. The Cloud Act and Privacy Shield are incompatible.

More information on the resolution of the European Parliament is published here, an analysis can be found here.