On Tuesday, the Civil Liberties (LIBE) Committee at the European Parliament passed a motion recommending that the European Commission suspend the application of the Privacy Shield unless the US meets its obligations under the framework "in full" by the end of summer. The entire European Parliament is set to vote on the text of the motion in July.
The Privacy Shield enables US businesses that self-certify to a number of privacy principles to transfer personal data from the EU to the US in line with the requirements of EU data protection law. The Privacy Shield has been operational since August 2016.
The Privacy Shield replaced the Safe Harbour scheme which previously helped facilitate EU-US data transfers until that framework was effectively invalidated by the Court of Justice of the EU (CJEU) in 2015.
The European Commission, via a so-called adequacy decision, has deemed that EU-US data transfers handled in line with the Privacy Shield's requirements comply with EU data protection laws. However, the Privacy Shield has met with criticism, including now from the LIBE Committee.
Chair of the LIBE Committee, UK MEP Claude Moraes, said: "While progress has been made to improve on the Safe Harbour agreement, the Privacy Shield in its current form does not provide the adequate level of protection required by EU data protection law and the EU Charter. It is therefore up to the US authorities to effectively follow the terms of the agreement and for the Commission to take measures to ensure that it will fully comply with the GDPR."
Previously, concern was raised about the extent of safeguards in place under the Privacy Shield to addresses US bulk surveillance powers, provide EU citizens with the ability to exercise all their rights in respect of the data transferred to the US under the framework, as well as whether they have sufficient scope under US law to obtain judicial redress in respect of mishandling of their data.
In December 2017, EU data protection authorities acting together under the Article 29 Working Party – a body now replaced by the European Data Protection Board – gave the US government until 25 May this year to address its "prioritised concerns" about the framework.
Specifically, the watchdogs said the US must appoint a permanent ombudsperson to handle complaints relating to the accessing of EU citizens' personal data by US intelligence agencies, in line with the requirements set out in the Privacy Shield agreement, and further explain and declassify "the rules of procedure" that apply. The Working Party also said members of another oversight body, the US Privacy and Civil Liberties Oversight Board, should also be appointed by the same date.
The Privacy Shield has also drawn criticism from privacy campaigners and is already the subject of legal challenges.