Cambridge Analytica revelations show need for ‘better monitoring’ of data-protection measures
Members of the European Parliament’s Civil Liberties Committee have called on legislators to suspend the Privacy Shield agreement that governs US firms’ handling of EU citizens’ data.
MEPs on the committee passed a resolution to call for the suspension of the agreement from 1 September, if the “US fails to comply” with its terms.
Privacy Shield came into force in July 2016, and required the US to commit to not engaging in “indiscriminate mass surveillance” of European data.
It replaced the Safe Harbor agreement, which was in effect for 15 years, but was invalidated by the European Court of Justice in 2015. This followed a series of complaints and legal challenges from Austrian citizen Max Schrems, who argued that the agreement did not sufficiently safeguard the privacy of EU citizens. His campaign was prompted by and centred on his belief that the way in which Facebook processed European data infringed on privacy rights.
Under Privacy Shield, all US firms processing EU citizens’ data are required to self-certify that they will adhere to all relevant regulations, with failure to comply being punishable under US law. The agreement also requires firms to respond to complaints from citizens who believe their data has been misused.
Privacy Shield is subject to annual review by authorities on both sides of the Atlantic.
- Government advises that NHS data can be safely hosted in the US and other countries
- EU data watchdog calls for ‘significant improvements’ to Privacy Shield
- MEPs criticise safe harbour deal
But MEPs have claimed that the recent revelations about Facebook and Cambridge Analytica “emphasise the need for better monitoring of the agreement, given that both companies are certified under the Privacy Shield”.
“MEPs call on the US authorities to act upon such revelations without delay and, if needed, to remove companies that have misused personal data from the Privacy Shield list,” the committee added. “EU authorities should also investigate such cases and, if appropriate, suspend or ban data transfers under the Privacy Shield.”
The committee also expressed concerns about the Clarifying Lawful Overseas Use of Data Act, a new piece of US legislation that MEPs claim “grants the US and foreign police access to personal data across borders”. This law “could have serious implications for the EU and it could conflict [with] EU data-protection laws”, the committee added.
The resolution to call for a wholesale of suspension of Privacy Shield from 1 September – if the US does not demonstrate compliance – was passed by the committee by 29 votes to 25, with three abstentions.
Committee chair Claude Moraes said: “The committee today adopted a clear position on the EU US Privacy Shield agreement. While progress has been made to improve on the Safe Harbor agreement, the Privacy Shield in its current form does not provide the adequate level of protection required by EU data protection law and the EU Charter. It is therefore up to the US authorities to effectively follow the terms of the agreement and for the commission to take measures to ensure that it will fully comply with the GDPR.”