On March 23, 2017, the European Parliament Civil Liberties, Justice and Home Affairs Committee narrowly adopted a resolution identifying “key deficiencies” in the E.U.-U.S. Privacy Shield. The resolution, which was passed by a vote of 29 in favor, 25 against and one abstention, details a number of deficiencies with the personal data transfer framework. In particular, while acknowledging improvement over the E.U.-U.S. Safe Harbor that was invalidated by the European Court of Justice in 2015, the resolution raises concerns regarding the lack of specific rules on automated decision-making and the general right to object to data transfers.
Additionally, the resolution specifically notes the insufficient protections surrounding mass and indiscriminate collection of personal data despite assurances attached to the Privacy Shield by the U.S. Director of National Intelligence. The resolution also urged an immediate assessment of whether rules approved by the U.S. in early 2017 allowing the National Security Agency to share private data with other agencies are consistent with the U.S.’s responsibilities under the Privacy Shield. Finally, the lack of a judicial remedy for individuals in the European Union whose data is transferred under the Privacy Shield and processed by both private organizations and U.S. law enforcement agencies is yet another concern of the committee.
The Privacy Shield, which is administered by the U.S. Department of Commerce, allows companies that self-declare their compliance with EU-approved privacy and security principles to transfer personal data from the EU to the U.S. Over 1,800 U.S. companies have registered for the program, including Microsoft Corp., Facebook Inc. and Alphabet Inc.’s Google.