Resolution on the adequacy of the protection afforded by the EU-US Privacy Shield

2016/3018(RSP)

The European Parliament adopted by 306 votes to 240, with 40 abstentions, a resolution tabled by the Committee on Civil Liberties, Justice and Home Affairs on the adequacy of the protection afforded by the EU-US Privacy Shield.

The EU-US Privacy Shield replaced the former Safe Harbour decision, which was invalidated by a EU Court of Justice judgment on 6 October 2015 (the Schrems case).

Parliament welcomed the fact that, following further discussions with the US administration, the Commission adopted its implementing decision 2016/1250 declaring the adequate level of protection for personal data transferred from the Union to organisations in the United States under the EU-US Privacy Shield.

As at 23 March 2017, 1 893 US organisations have joined the EU-US Privacy Shield. Members regretted that the Privacy Shield is based on voluntary self-certification and therefore applies only to US organisations which have voluntarily signed up to it, which means that many companies are not covered by the scheme.

Despite the assurances given by the US Government and the significant improvements in the clarity of standards compared to the former EU-US Safe Harbour, Members raised a number of concerns regarding certain aspects national security and law enforcement, including:

  • the significant difference between the protection provided by Directive 95/46/EC and the “notice and choice” principle of the Privacy Shield arrangement, as well as the considerable differences between the Directive and the “data integrity and purpose limitation” principle of the Privacy Shield arrangement;
  • the lack of specific rules on automated decision-making and on a general right to object, and the lack of clear principles on how the Privacy Shield Principles apply to processors (agents);
  • the fact that only a fraction of the US organisations that have joined the Privacy Shield have chosen to use an EU data protection authority for the dispute resolution mechanism;
  • recent revelations about surveillance activities conducted by a US electronic communications service provider on all emails reaching its servers, upon request of the National Security Agency (NSA) and the FBI, as late as 2015, i.e. one year after Presidential Policy Directive 28 was adopted and during the negotiation of the EU-US Privacy Shield;
  • lack of effective judicial redress rights for individuals in the EU whose personal data are transferred to a US organisation;
  • the absence of a uniform definition of "bulk surveillance" that would reflect European understanding of the term and ensure that the evaluation of data is not made dependent on selection; Members deplored the fact that the EU-US Privacy Shield does not prohibit the collection of bulk data for law enforcement purposes;
  • sufficient independence of the Ombudsperson mechanism set up by the US Department and the fact that it is not vested with sufficient effective powers to carry out its duties and provide effective redress to EU individuals.

On the basis of these considerations, the resolution called on the Commission to take all the necessary measures to ensure that the Privacy Shield will fully comply with Regulation (EU) 2016/679 (General Data Protection Regulation), to be applied as from 16 May 2018, and with the EU Charter of Fundamental Rights of the European Union.