The European Parliament adopted by 306 votes to 240,
with 40 abstentions, a resolution tabled by the Committee on Civil
Liberties, Justice and Home Affairs on the adequacy of the
protection afforded by the EU-US Privacy Shield.
The EU-US Privacy Shield replaced the former Safe
Harbour decision, which was invalidated by a EU Court of Justice
judgment on 6 October 2015 (the Schrems case).
Parliament welcomed the fact that, following further
discussions with the US administration, the Commission adopted its
implementing
decision 2016/1250 declaring the adequate level of protection
for personal data transferred from the Union to organisations in
the United States under the EU-US Privacy Shield.
As at 23 March 2017, 1 893 US organisations have
joined the EU-US Privacy Shield. Members regretted that the Privacy
Shield is based on voluntary self-certification and therefore
applies only to US organisations which have voluntarily signed up
to it, which means that many companies are not covered by the
scheme.
Despite the assurances given by the US Government and
the significant improvements in the clarity of standards compared
to the former EU-US Safe Harbour, Members raised a number of
concerns regarding certain aspects national security and law
enforcement, including:
- the significant difference between the
protection provided by Directive 95/46/EC and the notice and
choice principle of the Privacy Shield arrangement, as well
as the considerable differences between the Directive and the
data integrity and purpose limitation principle of the
Privacy Shield arrangement;
- the lack of specific rules on automated
decision-making and on a general right to object, and the lack of
clear principles on how the Privacy Shield Principles apply to
processors (agents);
- the fact that only a fraction of the US organisations
that have joined the Privacy Shield have chosen to use an EU
data protection authority for the dispute resolution
mechanism;
- recent revelations about surveillance
activities conducted by a US electronic communications service
provider on all emails reaching its servers, upon request of the
National Security Agency (NSA) and the FBI, as late as 2015, i.e.
one year after Presidential Policy Directive 28 was adopted and
during the negotiation of the EU-US Privacy Shield;
- lack of effective judicial redress rights for
individuals in the EU whose personal data are transferred to a US
organisation;
- the absence of a uniform definition of "bulk
surveillance" that would reflect European understanding of the term
and ensure that the evaluation of data is not made dependent on
selection; Members deplored the fact that the EU-US Privacy Shield
does not prohibit the collection of bulk data for law enforcement
purposes;
- sufficient independence of the Ombudsperson
mechanism set up by the US Department
and the fact that it is not vested with sufficient effective powers
to carry out its duties and provide effective redress to EU
individuals.
On the basis of these considerations, the resolution
called on the Commission to take all the necessary measures to
ensure that the Privacy Shield will fully comply with Regulation
(EU) 2016/679 (General Data Protection Regulation), to be
applied as from 16 May 2018, and with the EU Charter of
Fundamental Rights of the European Union.