MEPs call on European Commission to suspend Privacy Shield framework

Civil liberties committee expresses concern over companies that have misused personal data

Cambridge Analytica’s offices in London. Following the Facebook-Cambridge Analytica data breach, the MEPs highlighted the need for better monitoring of the agreement, given that both companies are certified under the EU-US framework.

MEPs have called on the European Commission to suspend the EU-US Privacy Shield framework for personal data transfers, saying it fails to provide enough data protection for EU citizens.

The Civil Liberties Committee of the European Parliament said on Tuesday the agreement should be suspended unless the US complied with it by September 1st. They said Privacy Shield should remain suspended "until the US authorities comply with its terms in full".

Following the Facebook-Cambridge Analytica data breach, the MEPs highlighted the need for better monitoring of the agreement, given that both companies are certified under the EU-US framework.

In a statement, the MEPs called on the US authorities “to act upon such revelations without delay and if needed, to remove companies that have misused personal data from the Privacy Shield list”.


“EU authorities should also investigate such cases and if appropriate, suspend or ban data transfers under the Privacy Shield,” they added.

The MEPS said they were also worried about the recent adoption of the Clarifying Lawful Overseas Use of Data Act (Cloud Act), a US law that grants the US and foreign police access to personal data across borders.

They said the US law could have serious implications for the EU and it could conflict EU data protection laws.

Civil Liberties Committee chair and rapporteur Claude Moraes said: "The LIBE committee today adopted a clear position on the EU US Privacy Shield agreement.

“While progress has been made to improve on the Safe Harbor agreement, the Privacy Shield in its current form does not provide the adequate level of protection required by EU data protection law and the EU Charter.

“It is therefore up to the US authorities to effectively follow the terms of the agreement and for the Commission to take measures to ensure that it will fully comply with the GDPR.”

The resolution was passed by 29 votes to 25, with three abstentions. The full parliament is expected to vote on the text in July.

Privacy Shield is an agreement between the US and the EU allowing US companies considered to have an adequate level of data protection to transfer personal data from EU to the US.

It is the successor to the Safe Harbour framework, which was invalidated by the Court of Justice of the European Union in October 2015 because it failed to provide adequate protection for the personal data of EU citizens.

The EU Commission then negotiated Privacy Shield deal to ensure adequate protection of personal data transferred and stored by companies in the US and it was adopted in July 2016.