deepagopi2011 - Fotolia

MEPs call for European Commission to reassess Privacy Shield

European parliamentarians have called for an immediate review of the Privacy Shield EU-US data transfer framework due to concerns about privacy protections being undermined in the US

Members of the European Parliament (MEPs) have called on the European Commission (EC) to reassess the EU-US Privacy Shield transatlantic data transfer agreement due to concerns over US privacy safeguards.

The MEPs have raised concerns that US authorities are not fully adhering to the terms of the agreement and that the US administration, under president Donald Trump, is rolling back privacy safeguards and stepping up surveillance through executive orders.

A resolution adopted by 306 votes to 240, with 40 abstentions, calls for the EC to conduct a proper assessment of the Privacy Shield framework to ensure it provides enough protection for the personal data of EU citizens to comply with the EU Charter of Fundamental Rights and new EU data protection rules.

The resolution comes just days after president Trump signed a bill to repeal Obama-era internet privacy rules that would have given internet users greater control over what internet service providers (ISPs) can do with their data.

Since 1 August 2016, US companies have been able to register for Privacy Shield, which was designed to replace the Safe Harbour agreement after it was declared invalid by the Court of Justice of the European Union (CJEU). So far, more than 1,900 companies have joined Privacy Shield, including Google, Microsoft, and Facebook.

“This resolution aims to ensure that the Privacy Shield stands the test of time and that it does not suffer from critical weaknesses,” said Claude Moraes, chair of the European Parliament’s Civil Liberties Committee and MEP for London.

“We acknowledge the significant improvements made compared to the former EU-US Safe Harbour, but there are clearly deficiencies that remain to be urgently resolved to provide legal certainty for the citizens and businesses that depend on this agreement.”

When the Article 29 Working Party (WP29) of European privacy regulators approved the data transfer framework in July 2016, it called for a review after a year.

That review is currently scheduled for September 2017, but MEPs want the EC to act sooner in the light of five key areas of concern.

Read more about EU-US Privacy Shield

  • Ireland faces legal challenge over the independence of its data commissioner, in the wake of the scrapping of the Safe Harbour data protection agreement.
  • Dublin court case on the legality of Facebook’s data transfers to the US raises issues that affect US national security, claims US Department of Justice.
  • User demand for locally hosted cloud services prompts cloud firms and infrastructure providers to rapidly take up datacentre space in Europe, CBRE research shows.

The MEPs said they were concerned about recent revelations about surveillance activities conducted by a US electronic communications service provider at the request of the NSA and FBI in 2015, a year after Presidential Policy Directive 28 (PPD28) limited the amount of data intelligence that can be collected and processed.

Other key concerns include:

  • New rules that from January 2017 allow the US National Security Agency (NSA) to share vast amounts of private data, gathered without warrant, court orders or congressional authorisation, with 16 other agencies, including the FBI.
  • The rejection of rules to protect the privacy of broadband customers by the Senate and the House of Representatives, which eliminates rules that would have required internet service providers to get consumers’ explicit consent before selling or sharing web browsing data and other private information with advertisers and other private companies.
  • Vacancies on the Privacy and Civil Liberties Oversight Board, which means that it lost its quorum on 7 January, making it more limited in its authority, while at the same time the Federal Trade Commission, which enforces the Privacy Shield, has three of its five seats vacant.
  • Insufficient independence of the Ombudsperson mechanism set up by the US Department of State plus the fact that the incoming US administration has not appointed a new Ombudsperson.
  • The fact that neither the Privacy Shield Principles nor letters from the US administration demonstrate the existence of effective judicial redress rights for EU individuals whose data are transferred to the US.

In the European parliament’s plenary session after the MEP vote on the resolution, EU justice commissioner Vera Jourova tried to calm MEPs’ fears that the Trump administration could water down the privacy rules introduced by PPD20 that became the legal basis for Privacy Shield, reports Euractiv.

Jourova, who recently visited senior Trump administration officials in Washington, told MEPs that the US promised her “there are no changes foreseen” to the PPD28.

Jourova said she “made absolutely clear to American partners that this is the main pillar” for keeping Privacy Shield in place.

“If we are faced with any developments that could negatively affect the level of protection afforded under the Privacy Shield, the European Commission will take responsibility and use all available mechanisms, be it review, suspension, revocation, repeal to promptly react,” she told MEPs.

Read more on Privacy and data protection

Data Center
Data Management