EU-US Privacy Shield may soon not be a guarantee of the legal transfer of personal data to the US under the GDPR

On 5 July 2018, the European Parliament adopted Resolution 2018/2645 (RSP) on the adequacy of the EU-US Privacy Shield for the protection of European citizens when transferring their personal data to the US. This occurred in response to the Facebook-Cambridge Analytica case, when the company had abused Facebook data for more than 2.7 million European citizens in connection with the presidential campaign of Donald Trump.

With this resolution, Parliament calls on the European Commission to suspend the operation of the EU-US Privacy Shield, with effect from 1 September 2018, with reference to Article 45(5) of the GDPR, unless the United States is able to guarantee an adequate level of personal data protection for European citizens in accordance with the GDPR provisions and other related regulations. The platform’s operation should then remain suspended until the US demonstrates its ability to guarantee the above-mentioned adequate level of protection.

In practice, a suspension of the EU-US Privacy Shield could have a significant impact not only on the ability of European companies and entrepreneurs to transfer personal data directly to the US, but also on the possibility of using any software or tools that require European personal data to be transmitted to the US (especially due to the location of servers in the US).

One such tool is, for example, the MailChimp marketing platform, which is operated by countless European and Czech companies. Therefore, if the suspension of the functioning of the EU-US Privacy Shield actually occurred, all European users of this platform would most likely be forced to stop using MailChimp immediately until the adoption of another appropriate data security guarantee in accordance with Article 46 GDPR.

The full text of the resolution is available here:

First consultation free or find out more