The national data protection authorities of EU Member States on Wednesday criticised the proposed ‘Privacy Shield’ legal framework for EU-US commercial data transfers.

"The possibility that is left in the Shield ... for bulk collection which if massive and indiscriminate is not acceptable," said Isabelle Falque-Pierrotin, chair of the group of 28 data protection authorities at a press conference.

Although the deal sets limits on what US intelligence agencies can do, European regulators said that these were too loose.

Falque-Pierrotin, who is the head of France’s data protection agency, also said that Europe’s privacy watchdogs had doubts about the effective powers and independence of the US ombudsman which is supposed to guarantee EU citizens a means of address.

Although Privacy Shield was an ‘important improvement’ in some respects, “it would have been better to have something simpler and less complicated,” she said.

Noting that the framework is built on the EU’s current data protection legislation, the data protection authorities urged the Commission to review the rules in two years’ time, when stricter European data protection laws are expected to come into force.

The Commission said it would work swiftly to include the regulators' recommendations in its final decision, which it hopes to adopt in June and EU governments will also have to approve the framework before it is formally adopted by the Commission.