For a number of years now, the European Union (EU) and the United States (US) have been negotiating an agreement on the protection of European citizens’ personal data in the US.
The “Privacy Shield” agreement has been in force since 2016. This is the successor to the “Safe Harbour” agreement, which was considered by European judges to be insufficiently secure for EU citizens.
The “new” agreement aims to ensure that personal data of EU citizens is sufficiently protected if it is stored in the US. The agreement sets out how US companies must deal with EU citizens’ personal data. It is not permissible, for example, to simply hand over EU data to American investigation services. EU citizens will also have the right to complain if they feel that their personal data is not sufficiently protected.
There are signs that the US is not complying with the agreement, or not fully. For example, the US Department of Commerce should have appointed an ombudsman to deal with complaints from EU citizens, but it has still not done so two years after the agreement came into force.
The EU therefore recently decided to suspend the Privacy Shield agreement with the US if the US does not meet its data protection requirements by 1 October 2018. In the worst-case scenario, the agreement with the US will be terminated. The EU considers that the recent data abuse scandals demonstrate a lack of protection for personal data in the US. In this context, for example, there was the Facebook-Cambridge Analytics scandal, in which the data of almost 87 million Facebook users was misused, including the data of approximately 2.7 million EU citizens. According to the European Parliament, American companies need to intervene more rigorously and more quickly if data is not processed correctly.
Evaluation of the Privacy Shield will take place shortly. It therefore remains to be seen whether the US will meet the conditions set by the EU. If not, and if the agreement is terminated, it will undoubtedly lead to a chaotic situation, for which no ready-to-use solution is yet available.
If you have any questions or need general advice about how to handle personal data and/or advice about the GDPR in the light of this article, please don’t hesitate to contact Kim Deckers or Monica Leenders. They will be only too happy to assist.