The EU Commission should go on negotiating with the USA to remedy “deficiencies” in proposed “Privacy Shield” protection for EU citizens’ data transferred to the US for commercial purposes, the European Parliament stated in a non-legislative resolution passed today (Thursday May 26th).
In the resolution, passed by 501 votes to 119 with 31 abstentions, Euro MEPs have welcomed the efforts of the Commission and the US authorities to achieve "substantial improvements" in the Privacy Shield mechanism compared to the Safe Harbour framework which it is set to replace.
Nevertheless, the MEPs have voiced concern about “deficiencies” in the proposed new arrangement negotiated by the Commission, notably:
- The US authorities’ access to data transferred under the Privacy Shield;
- The possibility of collecting bulk data, in some cases, which does not meet the criteria of "necessity" and "proportionality" laid down in the EU Charter of Fundamental Rights;
- The proposed US ombudsperson, a new institution that MEPs accept is a step forward, but believe to be neither "sufficiently independent", nor "vested with adequate powers to effectively exercise and enforce its duty", and
- The complexity of the redress mechanism, which the European Commission and US administration need to make more "user-friendly and effective".
The European Parliament has emphasised that the Privacy Shield framework gives EU Member States' Data Protection Authorities a prominent role in examining data protection claims and notes their power to suspend data transfers. The Parliament has also stressed the importance of the obligation placed upon the US Department of Commerce to resolve such complaints.
Finally, MEPs have called on the Commission to conduct periodic “robust reviews” of its decision that Privacy Shield protection is adequate, particularly in the light of experience with the new EU General Data Protection Regulation which is to take effect in 2018.