It’s been a dizzying two months for organizations trying to comply with new global and domestic privacy rules.  First, on May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) went into force.  (See GDPR Day is Here: Why U.S. Companies Should Care, and Five Tips Toward GDPR Compliance.)  Scarcely one month later, on June 28, 2018, lawmakers in California enacted the California Consumer Privacy Act of 2018, a groundbreaking new privacy law set to take effect on January 1, 2020.  (See Privacy Alert: California Lawmakers Approve Groundbreaking Privacy Law.)  And on July 5, 2018, another shoe dropped:  the European Parliament voted to suspend the Privacy Shield Framework, a mechanism that allows for personal data to be transmitted from the E.U. to the U.S. in a manner that complies with the GDPR.  If Privacy Shield is suspended, companies who rely on it will have to find a new mechanism under the GDPR to transfer personal data from the E.U. to the U.S.

What Happened?

On July 5, 2018, the European Parliament passed Resolution 2018/2645(RSP) (“Resolution”), adopting the view that the current E.U.-U.S. Privacy Shield fails to adequately protect personal data of E.U. individuals and calling on the European Commission to suspend Privacy Shield on September 1, 2018 if the U.S. and European Commission fail to take all necessary measures to ensure that Privacy Shield fully complies with GDPR.  Although the Resolution is non-binding, it is another source of uncertainty in the dynamic spheres of privacy and cybersecurity.

What is Privacy Shield?

The GDPR prohibits the transfer of covered personal data outside the E.U. unless the European Commission determines that the recipient country provides adequate levels of protection for the personal data, or unless other GDPR-recognized procedures are followed.  So far, only 11 countries have qualified for adequacy decisions, and Japan soon will be added to that list as a result of a reciprocal adequacy agreement with the E.U. on July 17, 2018.  The U.S. as a whole has not qualified for an adequacy decision, although certain transfers within the Privacy Shield Framework are permitted under the GDPR.

Privacy Shield is an approved mechanism that allows GDPR- compliant transfers of data from the E.U. to the U.S.  Since July 2016, Privacy Shield has allowed certain U.S. organizations to register and self-certify that they will comply with listed data protection principles of the GDPR.  Privacy Shield is administered by the International Trade Administration within the U.S. Department of Commerce.  Only companies regulated by the Department of Commerce are eligible for Privacy Shield.

Why is Privacy Shield at Risk?

An integral part of Privacy Shield is a joint annual review process by the E.U. and U.S.  During the first annual review in September 2017, an independent European advisory body on data protection and privacy, Working Party 29, identified a number of grievances with Privacy Shield.  Fast-forward to July 5, 2018, and many of the same concerns remain, along with some new ones:

  • The recent revelations of misuse of personal data by Facebook and Cambridge Analytica (two self-certified Privacy Shield organizations);
  • The January 11, 2018 reauthorization of Section 702 of the Foreign Intelligence Surveillance Act (FISA) for six years that allows the U.S. Attorney General and U.S. Director of National Intelligence to jointly authorize collection of foreign intelligence information for up to one year;
  • The failure to appoint a chair and members sufficient for a quorum to the Privacy and Civil Liberties Oversight Board, leaving the Board unable to provide oversight and advice on whether U.S. efforts to protect itself from terrorism are balanced with the need to protect privacy and civil liberties; and
  • The March 23, 2018 enactment of the Clarifying Overseas Use of Data (CLOUD) Act that allows U.S. law enforcement officials to subpoena communications data even if the data is stored outside the United States.

Although this list is not exhaustive, these concerns suggest the European Parliament believes the current legal atmosphere in the U.S. does not align—and has not aligned for some time—with the overarching philosophy of the GDPR.  The European Parliament did not issue a hard and fast deadline, but instead made a generalized call for the European Commission and U.S. to take all necessary measures to ensure that Privacy Shield complies with GDPR by September 1, 2018.

What can U.S. Organizations do if Privacy Shield is Suspended?

If Privacy Shield is eliminated, organizations that depend on it as a GDPR-approved mechanism to transfer personal data from the E.U. to the U.S. may be in violation of the GDPR and potentially subject to serious fines.  Organizations therefore should start considering other GDPR-compliant mechanisms for international data transfers.  Three possible alternate mechanisms are:  (1) implementing binding corporate rules that obligate a company to engage in GDPR-compliant practices (good for international transfers within the same organization); (2) entering into standard contractual clauses (good for international transfers between two different organizations); and (3) obtaining the data subject’s explicit, informed, affirmative consent for the particular transfer after informing the data subject of the possible risks of the transfer.

How Likely is the Suspension of Privacy Shield?

The European Parliament’s call for the suspension of Privacy Shield is a non-binding recommendation.  The Resolution calls on the European Commission to suspend Privacy Shield only if the United States and European Commission fail to take all necessary measures to ensure that the Privacy Shield fully complies with GDPR.  Whether the Commission will answer the call and suspend the Privacy Shield is anyone’s guess, but organizations who depend on transferring data from the E.U. to the U.S. should pay heed to the European Parliament’s concerns and prepare to use a different GDPR mechanism for transferring personal data to the U.S., just in case Privacy Shield is suspended on September 1, 2018.

Keesal, Young & Logan Cybersecurity and Privacy Group

This information has been prepared by Keesal, Young & Logan for informational purposes only and is not legal advice. Transmission of the information is not intended to create, and receipt does not constitute, an attorney-client relationship between you and Keesal, Young & Logan. You should not act upon this information without seeking professional counsel.