New rules allowing the US National Security Agency (NSA) to share private data with other US agencies without court oversight, recent revelations about surveillance activities by a US electronic communications service provider and vacancies on US oversight bodies are among the concerns raised by MEPs in a resolution passed on Thursday.
In the resolution, adopted by 306 votes to 240, with 40 abstentions, MEPs call on the EU Commission to conduct a proper assessment and ensure that the EU-US “Privacy Shield” for data transferred for commercial purposes provides enough personal data protection for EU citizens to comply with the EU Charter of Fundamental Rights and new EU data protection rules. The first annual review of the Privacy Shield framework is expected in September.
"This resolution aims to ensure that the Privacy Shield stands the test of time and that it does not suffer from critical weaknesses”, said Civil Liberties Committee Chair Claude Moraes (S&D, UK). “We acknowledge the significant improvements made compared to the former EU-US Safe Harbour, but there are clearly deficiencies that remain to be urgently resolved to provide legal certainty for the citizens and businesses that depend on this agreement”, he added.
MEPs are particularly worried about:
- recent revelations about surveillance activities conducted by a US electronic communications service provider at the request of the NSA and FBI in 2015, one year after Presidential Policy Directive 28 limited the amount of data intelligence that can be collected and processed,
- new rules that from January 2017 allow the NSA to share vast amounts of private data, gathered without warrant, court orders or congressional authorisation, with 16 other agencies, including the FBI,
- the rejection of rules to protect the privacy of broadband customers by the Senate and the House of Representatives in March, which “ eliminates (…) rules that would have required internet service providers to get consumers’ explicit consent before selling or sharing web browsing data and other private information with advertisers and other private companies”,
- vacancies on the Privacy and Civil Liberties Oversight Board, which means that it lost its quorum on 7 January, making it more limited in its authority, while at the same time the Federal Trade Commission, which enforces the Privacy Shield, has three of its five seats vacant,
- insufficient independence of the Ombudsperson mechanism set up by the US Department of State plus the fact that the incoming US administration has not appointed a new Ombudsperson , and
- the fact that neither the Privacy Shield Principles nor letters from the US administration demonstrate the existence of effective judicial redress rights for EU individuals whose data are transferred to the US.
The Privacy Shield is the successor to the 2000 Safe Harbour decision, which was invalidated by an EU Court of Justice ruling of 6 October 2015 (Schrems case).
The EU Commission responded by negotiating the new Privacy Shield arrangement to ensure “adequate” protection of personal data transferred and stored by companies in the US. This new framework for EU-US data transfers was adopted in July 2016. So far, more than 1,900 companies have joined the scheme.
Procedure: non-legislative resolution