MEPs have voted for a review of the controversial Privacy Shield data transfer agreement between the EU and US, concerned over key areas of weakness.
The European Commission will now be forced to investigate whether the agreement, a successor to Safe Harbor, offers enough protections to EU citizens in compliance with the EU Charter of Fundamental Rights and forthcoming privacy regulation the GDPR.
"This resolution aims to ensure that the Privacy Shield stands the test of time and that it does not suffer from critical weaknesses," said civil liberties committee chair Claude Moraes.
“We acknowledge the significant improvements made compared to the former EU-US Safe Harbor, but there are clearly deficiencies that remain to be urgently resolved to provide legal certainty for the citizens and businesses that depend on this agreement.”
As the resolution outlines, MEPs are concerned about a number of recent developments, not least new rules that since January this year have allowed the NSA to share large amounts of private data – obtained without warrants, court orders or the like – with 16 other agencies including the FBI.
They’re also concerned about the roll-back this week of new FCC privacy protections which mean ISPs don’t have to request consent to sell browsing and other data; revelations about service providers acquiescing to NSA/FBI surveillance requests and vacancies on the Privacy and Civil Liberties Oversight Board and at the FTC.
The MEPs, who voted 306:240 in favor of the motion, also pointed to “insufficient independence” of the Ombudsperson mechanism instituted by the State Department; the lack of a current Ombudsperson and the absence of “effective judicial redress rights for EU individuals whose data are transferred to the US”.
There was also an outcry in January when incoming US President Donald Trump signed a new Executive Order which stated that certain privacy protections wouldn’t be extended beyond US citizens or residents.
The original Safe Harbor agreement was torn up in 2016 after the European Court of Justice ruled there weren’t adequate protections for European citizens from surveillance by US agencies.
Nigel Hawthorn, privacy spokesperson at Skyhigh Networks, argued that attempts to replace it are “turning into a never-ending episode of Tom & Jerry”.
“While the legislators on both sides of the Atlantic are searching for agreement, it’s businesses that are being left in the lurch having to wait for clarity,” he added.
“In order to mitigate the uncertainty that seemingly isn’t going anywhere any time soon, organizations in Europe may have to vote with their wallets and reduce the amount of data going to the US, or invest in technologies that encrypt data before it is transferred.”