– On Thursday the European Parliament’s Civil Liberties Committee narrowly passed a resolution [PDF], with 29 votes to 25, highlighting MEPs’ concern with the EU-US Privacy Shield; an agreement facilitating commercial data transfers in compliance with EU data protection legislation between the two regions following the decision in 2015 of the European Court of Justice invalidating the previous agreement known as Safe Harbour.
After the vote, Claude Moraes, the Civil Liberties Committee Chairman, said that “the Civil Liberties Committee resolution adopted today sends a clear message that, while the Privacy Shield contains significant improvements compared to the former EU-US Safe Harbour, key deficiencies remain to be urgently resolved”.
The parliament resolution thus acknowledges significant improvements along with offering scathing criticism of the new agreement. The lack of effective judicial redress for EU citizens in the US is among the issues highlighted. Specifically, the resolution states that “neither the Privacy Shield Principles nor the letters of the U.S. administration providing clarifications and assurances demonstrate the existence of effective judicial redress rights for individuals in the EU whose personal data are transferred to an U.S. organisation under the Privacy Shield Principles”.
The resolution also criticises the fact that “the Ombudsperson mechanism set up by the U.S. Department of State is not sufficiently independent”. A similar criticism of the ombudsperson was presented by national data protection authorities through the Article 29 Data Protection Working Party in its report last year: “the WP29 is concerned that this new institution is not sufficiently independent and is not vested with adequate powers to effectively exercise its duty and does not guarantee a satisfactory remedy in case of disagreement.”
The Parliament’s resolution also criticised the European Commission’s process when setting up the Privacy Shield in that “the procedure of adoption of an adequacy decision does not provide for a formal consultation of relevant stakeholders” and that the Commission thereby also implemented the Privacy Shield in a manner that “de facto has not enabled the Parliament to exercise its right of scrutiny on the draft implementing act”.
While the resolution has no legal impact on the EU-US Privacy Shield agreement, it offers further evidence that the agreement may not be on as a safe foundation as the Commission attempted to portray in its introduction. The resolution is expected to be finalised by a full parliament vote in April.