EU LIBE Issues with Privacy Shield – What SMEs Need To Know

Parliament Civil Liberties Committee (LIBE) voted 29-25 to suspend the EU-US Privacy Shield if it does not fix gaps in compliance by September 1. In making its Resolution, which is non-binding but puts pressure on the Commission to act accordingly, the LIBE Committee highlighted a few of the most prevailing issues:

  • US extension of surveillance measures (FISA Section 702) that allow the government to conduct mass warrantless surveillance over non-US citizens (and arguably over US citizens too). This clause was part of the reason the Court of Justice of the European Union (CJEU) invalidated Safe Harbour in 2015, and the US recently extended it for another 6 years.
  • US recent adoption of the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) that grants US and foreign police access to personal data across borders.
  • Skepticism over Privacy Shield’s effectiveness in light of the Facebook-Cambridge Analytica scandal, Facebook’s admission of additional personal data transfers to other companies and other companies’ questionable personal data handling practices. Both Facebook and a subsidiary of Cambridge Analytica were registered members of Privacy Shield.

Potential Impact on SMEs

According to a joint survey conducted in 2017 by the IAPP and EY, 67 percent of surveyed SMEs said they planned to use Privacy Shield by 2018. Indeed, Privacy Shield holds many advantages to SMEs relative to other data transfer mechanisms such as Binding Corporate Rules (typically for larger enterprises) and Model Contract Clauses (which typically necessitate stronger legal background than many small businesses have or can afford).

If Privacy Shield is invalidated in the coming months, businesses will have to turn to other binding legal safeguards. The EU’s GDPR outlines some of these alternatives in Article 46(2). These alternatives generally focus on adopting enforceable contractual commitments and clauses that the EU Supervisory Authority approves or drafts.  But presently, none of these clauses or standards have been written nor disclosed by Supervisory Authority.  Businesses will need the Supervisory Authority’s guidance on procedures for implementation.

A final decision to invalidate Privacy Shield means that the EU Commission and its national Data Protection Authorities will have a great deal of work to do. They will need to issue guidance for businesses to implement feasible alternatives.

Should SMEs Be Concerned?

Yes, but it may be too early to adjust course or begin to change operational practices.

Two important notes regarding potential impact of this vote:

  • It is not the full parliament, just the LIBE Committee. The Parliament will hold a full vote later this month.
  • Only the Commission or the CJEU have the power to suspend Privacy Shield. The Commission is scheduled to hold its second annual review of Privacy Shield in October 2018, and the CJEU will hold a ruling on a new Schrems-Facebook case later this year which may very well negatively impact Privacy Shield.

Make sure your business is prepared for any eventuality. G compliant and stay compliant with Sovy’s GDPR Privacy EssentialsSM.