By Jeanette Burgess, Andrew Northage

The embattled EU-US Privacy Shield, one of the approved mechanisms for the transatlantic transfer of personal data, is under threat on a number of fronts. On 5 July 2018, the European Parliament issued a non-binding resolution to suspend the Privacy Shield unless the US complies with EU data protection rules by 1 September 2018. It says that there is a need for better monitoring of the agreement following the recent Facebook/Cambridge Analytica data breach, given that both companies are certified under the Privacy Shield. It is also concerned about a new US law known as the CLOUD Act (Clarifying Lawful Overseas Use of Data), which grants the US and foreign police access to personal data across borders.

It was reported in the previous edition of the Regulatory round-up that the European Parliament’s Civil Liberties, Justice and Home Affairs Committee had been calling on the European Commission to suspend the Privacy Shield. The Privacy Shield was criticised even before its launch in July 2016. It was introduced after the Court of Justice of the European Union (CJEU) held that the previous framework, ‘Safe Harbor’, was invalid. Following the first annual review of the Privacy Shield in September 2017 the Commission said that, on the whole, the framework continued to ensure an adequate level of data protection, but there was room for improvement. While the European Parliament’s recent resolution is not binding, it will ramp up the pressure on the Commission and its US counterparts when the second annual review takes place in October 2018.