Earlier today, the European Parliament passed a non-legislative resolution saying the EU Commission should go back to negotiating with the United States to remedy “deficiencies” in the proposed EU-U.S. Privacy Shield for EU citizens’ data which is transferred to the US for commercial purposes.

The resolution, which passed by a vote of 501-119, with 31 abstentions, acknowledged the efforts of the EU Commission and the US Administration to achieve “substantial improvements” in the Privacy Shield as compared to the EU-U.S. Safe Harbour which it is meant to replace. However, the Members of the European Parliament (MEPs) voiced concerns about “deficiencies” including:

  • the US authorities’ access to data transferred under the Privacy Shield,
  • the possibility of collecting bulk data, in some cases, which does not meet the criteria of “necessity” and “proportionality” laid down in the EU Charter of Fundamental Rights,
  • the proposed US ombudsperson, a new institution that MEPs accept is a step forward, but believe to be neither “sufficiently independent”, nor “vested with adequate powers to effectively exercise and enforce its duty”, and
  • the complexity of the redress mechanism, which the Commission and US administration need to make more “user-friendly and effective.”

The MEPs called on the European Commission to conduct periodic “robust reviews” of its decision that Privacy Shield protections are adequate, particularly in the light of the new EU data protection rules which are to take effect in two years.

Parliament’s resolution follows, and largely supports, the April 13, 2016, opinion of the Article 29 Working Party on the Privacy Shield. While the European Parliament’s resolution and the Article 29 Working Party’s opinion are not binding on the European Commission, both the resolution and opinion raise serious doubts as to when, if at all, the thousands of companies who relied on the invalidated EU-U.S Safe Harbour will ever be able to rely EU-U.S. Privacy Shield for their data transfer needs.