Suspend Privacy Shield if the USA will not comply, say MEPs

Both Facebook and Cambridge Analytica were certified under the pact, Civil Liberties Committee points out

Privacy Shield, the EU-US data-sharing agreement that covers the transfer of citizens' personal data to the US, must be suspended unless the US complies in full, a group of MEPs has said.

The warning comes in the wake of the Facebook-Cambridge Analytica scandal. Both companies are certified by under the scheme (although Cambridge Analytica has now been closed down). The Civil Liberties Committee (LIBE) says this shows that Privacy Shield fails to provide sufficient data protection for EU citizens.

The Committee has called on the European Commission to suspend Privacy Shield until the US complies by 01 September and to keep it suspended until it does. It added that the US authorities should act swiftly to remove certified companies that have misused personal data from the Privacy Shield list.

The MEPs also claim that the US Clarifying Lawful Overseas Use of Data Act (CLOUD Act) may also be incompatible with Privacy Shield and other EU data protection laws including the GDPR.

Committee chair Claude Moraes said in a statement: "The LIBE committee today adopted a clear position on the EU US Privacy Shield agreement. While progress has been made to improve on the Safe Harbour agreement, the Privacy Shield in its current form does not provide the adequate level of protection required by EU data protection law and the EU Charter. It is therefore up to the US authorities to effectively follow the terms of the agreement and for the Commission to take measures to ensure that it will fully comply with the GDPR."

Privacy Shield was brought in to replace Safe Harbour in July 2016 after the original agreement was ruled illegal for failing to adequately protect the privacy of European citizens' data.

At the time many lawyers doubted that the new agreement would be compatible with the incoming GDPR legislation. Data protection lawyer Sheila Fitzpatrick predicted that the deal would have to be renegotiated.

"Privacy Shield may have to be renegotiated in 2018 because the GDPR obviously puts many more obligations, responsibilities and accountabilities onto any not just US-based multinational companies but any organisation that does business in Europe," Fitzpatrick told Computing in 2016.

Around the same time European data protection supervisor Giovanni Buttarelli raised concerns about Privacy Shield claiming that it was not robust enough to stand up to proper legal scrutiny.

The proposal is expected to be voted on by MEPs in July.