Calls for the suspension of the US-EU Privacy Shield regime have reached new volumes with the Civil Liberties Committee stating that the US should comply with its current obligations under the Privacy Shield programme by 1 September 2018 or the raft of companies which have self-certified under Privacy Shield will be prevented from using the scheme as a means to transfer personal data from the EU to the US.
With model clauses being challenged in the EU courts by Max Schrems and the ICO stating that the time period to get BCRs in place is currently upwards of 12 months, the options for personal data transfers are becoming more and more limited. This will push many organisations to rely on derogations to the GDPR restrictions on transfers outside of the EEA. However, guidance from the European Data Protection Board states that transfers under Article 49 derogations should not be regular transfers and "would occur outside the regular course of actions, for example, under random, unknown circumstances and within arbitrary time intervals." Accordingly, not a basis on which "business as usual" can be conducted.
If the Commission does indeed follow the Civil Liberties Committee's recommendations and the US does not comply by any proposed deadline, it may well be that organisations are forced into a last resort scenario with very few options to maintain the cross-Atlantic data flow on which so many companies are heavily reliant. We wait to hear more from the Commission and hope that no snap decisions are made; especially at a time when companies are still getting to grips with their general GDPR compliance.
The Civil Liberties Committee calls on the Commission to suspend the EU-US Privacy Shield since it fails to provide enough data protection for EU citizens. The data exchange deal should be suspended unless the US complies with it by 1 September 2018, say MEPs, adding that the deal should remain suspended until the US authorities comply with its terms in full.