A vote by European Union lawmakers seeking to suspend Privacy Shield could spell bad news for businesses that have built their GDPR compliance strategy on adherence to the EU-U.S. data transfer agreement\u2019s principles.\nThe EU\u2019s General Data Protection Regulation, like its predecessor the Data Protection Directive, authorizes the export of EU citizens\u2019 personal information only to jurisdictions that provide an adequate level of privacy protection.\nPrivacy Shield, an agreement signed by EU and U.S. officials in 2016, seeks to reconcile the different levels of legal protection afforded on each side of the Atlantic, allowing businesses to export EU citizens\u2019 data to the U.S. for processing.\nThe EU\u2019s executive body, the European Commission, ruled in 2016 that the Privacy Shield deal provided adequate protection for personal information, but called for it to be reviewed annually.\nIt\u2019s with an eye on the next review of the agreement, in September, that Members of the European Parliament called for the deal to be suspended in a vote on July 5.\nThe Parliament\u2019s resolution on Privacy Shield identified several areas in which U.S. authorities had not yet met their commitments under the agreement, despite having been given a deadline of May 25, 2018.\nThe U.S. Senate has still not ratified the appointment of three members of the Privacy and Civil Liberties Oversight Board (PCLOB), including its chairman. That\u2019s preventing the board from fulfilling \u201cits missions of preventing terrorism and ensuring the need to protect privacy and civil liberties,\u201d the resolution noted.\nAnother oversight mechanism, that of the Privacy Shield Ombudsperson, is also lacking, the resolution said. The resolution deplored a lack of clarity about the Ombudsperson\u2019s powers, and called for a permanent appointee to the role, issues that prevent effective redress for EU citizens.\nThe Department of Commerce also came in for criticism. The Parliament expressed concerns that companies had been allowed to claim they had Privacy Shield certification before Department of Commerce officials had added them to the official list, and regretted that officials did not do more to verify companies\u2019 compliance, which largely depends on self-certification.\nThe Parliament\u2019s vote is non-binding: Privacy Shield can only be overturned by the Commission, or by the EU\u2019s highest court, the European Court of Justice. It was the ECJ that invalidated the Safe Harbor agreement that Privacy Shield replaced. However, it will be difficult for the Commission to dismiss the Parliament\u2019s criticisms and prolong the Privacy Shield deal if U.S. authorities do not move to address them before September.\nThe European Data Protection Board, composed of national data protection authorities from across the EU, is also closely monitoring moves by the U.S. to comply with its obligations under Privacy Shield. EDPB is still awaiting the appointment of a permanent Privacy Shield Ombudsperson in the U.S., and is concerned about a lack of information on the Ombudsperson mechanism, especially on how the Ombudsperson interacts with the intelligence services.\nAhead of the Parliament\u2019s vote, groups representing businesses relying on Privacy Shield warned that suspension of the deal would damage transatlantic trade.\nThe American Chamber of Commerce in Germany said it wants the flow of data to continue while improvements to the deal are put in place. The Computer & Communications Industry Association (CCIA) \u00a0cautioned against a rushed suspension of the arrangement, which it said has already seen many improvements since its introduction.\nA delegation from the Parliament's Civil Liberties Committee will visit Washington next week, seeking answers from administration officials and Congress. If they aren't forthcoming, September's review of Privacy Shield could prove problematic for businesses on both sides of the Atlantic.