On March 23, 2017, the Members of the European Parliament’s civil liberties, justice and home affairs committee (LIBE) narrowly voted to support a resolution declaring the Privacy Shield to be inadequate. 29 voted in favor of the resolution, 25 against, with one abstention. The resolution, which is still provisional, is expected to be voted on by the European Parliament in full this April.

The Privacy Shield, formally adopted in July 2016 following the invalidation by the ECJ of its predecessor the Safe Harbor, the current trans-border data transfer framework has been under constant criticism. The resolution points out the following identified shortcomings:

  • New U.S. procedures that will allow the NSA to share signal intelligence (SIGNIT) with numerous other agencies without a court order, raises significant concerns with regard to the implications this will have on the Privacy Shield.
  • The Privacy Shield remains to be a self-certification scheme, meaning that it still does not apply to all U.S. companies. This voluntary nature of the framework, combined with the fact that many companies that do self-certify use U.S. based arbitrators to do so, raises questions regarding the practical application of the framework. LIBE worries that it will remain to be a cumbersome process for EU citizens to get redress if their data is misused.
  • There is still no definition of ‘bulk surveillance’. Thus whilst the Privacy Shield stresses that any form of mass surveillance is in breach of European law, it remains unclear as to what will constitute such a breach, especially considering the details that emerged in October 2016 regarding the software that Yahoo created to scan users’ email at the request of the NSA or FBI.

LIBE has called on the European Commission to thoroughly review the framework during its first annual joint review, which is expected to take place this summer. It has urged the Commission to take into account the shortcomings identified in the resolution during its review. We will of course closely follow the developments concerning the Privacy Shield, and will keep our readers updated on this.