Latimer LeVay Fyock, LLCLatimer LeVay Fyock, LLC

EU Parliament Votes to Suspend Privacy Shield

 As we have suggested for some time, the Privacy Shield, by which United States companies can evidence compliance with the European Union General Data Protection Regulation and its predecessor (the "EU GDPR"), is on shaky ground. 

On July 4, 2018, the EU Parliament called for the suspension of the Privacy Shield in a non-binding resolution (available at, by a close vote of 303- 223.  The EU Parliament's resolution provides that the United States must demonstrate adequate compliance by September 1, 2018, providing in part:

"Takes the view that the current Privacy Shield arrangement does not provide the adequate level of protection required by Union data protection law and the EU Charter as interpreted by the European Court of Justice;
"Considers that, unless the US is fully compliant by 1 September 2018, the Commission has failed to act in accordance with Article 45(5) GDPR; calls therefore on the Commission to suspend the Privacy Shield  until the US authorities comply with its terms."

The United States has been found not to be adequate or equivalent to the EU privacy initiatives since the mid-1990s, and the Privacy Shield is a workaround that permits United States companies to self-certify and demonstrate adherence to the basic EU framework on safeguarding of information.   Absent the Privacy Shield, United States companies who wish to bring data of EU subjects to the United States will have to obtain express written consent or use model contract provisions.  In 2015, the predecessor to the Privacy Shield, Safe Harbor, was invalidated by the EU as not being rigid enough.

Privacy Shield was the compromise.  Almost immediately, some EU regulators and privacy advocates, including Max Schrems, argued the Privacy Shield was not adequate and also that a solution should wait until the EU GDPR went into effect (it did on May 25, 2018).

This latest development in privacy and the EU will be monitored closely, as it could have major impact on the businesses that are accessing and utilizing EU data.  In the last week, California also raised the stake on privacy when the California legislature enacted a new act that largely follows the model of the EU GDPR.