While America was celebrating the 4th of July, the European Parliament voted in favor of a non-binding resolution calling on the European Commission to suspend the Privacy Shield program unless the US is fully compliant with all the requirements of the deal by September 1st, 2018. The resolution also calls on the European Commission to update the Privacy Shield to incorporate the new GDPR requirements. Privacy Shield replaced the now-defunct Safe Harbor and is a way for American companies to self-certify their compliance with EU law when transferring personal data outside of the EU. There is not yet any indication what, if anything, may replace the program if it is suspended. The recent controversy surrounding Facebook and Cambridge Analytica has cast increasing doubt on the efficacy of Privacy Shield, as they both relied on it for data transfer.
What does this mean for company compliance programs? First, there is no cause for panic at this moment. The European Parliament alone does not have the power to enact a formal suspension on the Privacy Shield deal, and we can be certain that it is safe until the annual program review in October. However, European regulators’ opinions on Privacy Shield have been trending negative for quite some time, and we should not be surprised if it is suspended or replaced this fall. Risk-averse companies may begin implementing alternative data transfer mechanisms (standard contractual clauses or binding corporate rules) in anticipation of a Privacy Shield suspension. A readiness assessment from a qualified independent audit firm can help compliance teams identify gaps in cross-border data transfer mechanisms.