EU-US “Privacy Shield” for data transfers: further improvements needed, MEPs say
The EU Commission should go on negotiating with the USA to remedy “deficiencies” in proposed “Privacy Shield” protection for EU citizens’ data transferred to the US for commercial purposes, Parliament says in a non-legislative resolution passed on Thursday.
In the resolution, passed by 501 votes to 119 with 31 abstentions, MEPs welcome the efforts of the Commission and the US administration to achieve "substantial improvements" in the Privacy Shield compared to the Safe Harbour decision which it is to replace.
However, they also voice concern about “deficiencies” in the proposed new arrangement negotiated by the Commission, notably:
- the US authorities’ access to data transferred under the Privacy Shield,
- the possibility of collecting bulk data, in some cases, which does not meet the criteria of "necessity" and "proportionality" laid down in the EU Charter of Fundamental Rights,
- the proposed US ombudsperson, a new institution that MEPs accept is a step forward, but believe to be neither "sufficiently independent", nor "vested with adequate powers to effectively exercise and enforce its duty", and
- the complexity of the redress mechanism, which the Commission and US administration need to make more "user-friendly and effective", MEPs say.
Parliament stresses that the Privacy Shield framework gives EU member state’s data protection agencies a prominent role in examining data protection claims and notes their power to suspend data transfers. It also notes the obligation placed upon the US Department of Commerce to resolve such complaints.
Finally, MEPs call on the Commission to conduct periodic “robust reviews” of its decision that Privacy Shield protection is adequate, particularly in the light of experience with the new EU data protection rules which are to take effect in two years.
Procedure: Non-legislative resolution