Many stories on Techdirt seem to grind on forever, with new twists and turns constantly appearing, including unexpected developments -- or small, incremental changes. The transatlantic data transfer saga has seen a bit of both. Back in 2015, the EU's top court ruled that the existing legal framework for moving data across the Atlantic, Safe Harbor, was "invalid". That sounds mild, but it isn't. Safe Harbor was necessary in order for data transfers across the Atlantic to comply with EU data protection laws. A declaration that it was "invalid" meant that it could no longer be used to provide legal cover for huge numbers of commercial data flows that keep the Internet and e-commerce ticking over. The solution was to come up with a replacement, Privacy Shield, that supposedly addressed the shortcomings cited by the EU court.
The problem is that a growing number of influential voices don't believe that Privacy Shield does, in fact, solve the problems of the Safe Harbor deal. For example, in March last year, two leading civil liberties groups -- the American Civil Liberties Union and Human Rights Watch -- sent a joint letter to the EU's Commissioner for Justice, Consumers and Gender Equality, and other leading members of the European Commission and Parliament, urging the EU to re-examine the Privacy Shield agreement. In December, an obscure but influential advisory group of EU data protection officials asked the US to fix problems of Privacy Shield or expect the EU's top court to be asked to rule on its validity. In April of this year, the Irish High Court made just such a referral as a result of a complaint by the Austrian privacy expert Max Schrems. Since he was instrumental in getting Safe Harbor struck down, that's not something to be taken lightly.
Lastly, one of the European Parliament's powerful committees, which helps determine policy related to civil liberties, added its voice to the discussion. It called on the European Commission to suspend the Privacy Shield agreement unless the US fixed the problems that the committee discerned in its current implementation. At that point, it was just a committee making the call. However, in a recent plenary session, the European Parliament itself voted to back the idea, and by a healthy margin:
MEPs call on the EU Commission to suspend the EU-US Privacy Shield as it fails to provide enough data protection for EU citizens.
The data exchange deal should be suspended unless the US complies with EU data protection rules by 1 September 2018, say MEPs in a resolution passed on Thursday by 303 votes to 223, with 29 abstentions. MEPs add that the deal should remain suspended until the US authorities comply with its terms in full.
It's important to note that this vote is largely symbolic: if the US refuses to improve the data protection of EU citizens, there's nothing to force the European Commission to comply with the demand of the European Parliament. That said, the call by arguably the most democratic part of the EU -- MEPs are directly elected by European citizens -- piles more pressure on the European Commission, which is appointed by EU governments, not elected. If nothing else, this latest move adds to the general impression that Privacy Shield is not likely to survive in its present form much longer.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+