EU-US Privacy Shield not up to snuff, data tap should be turned off – MEPs

The deal governing transatlantic data flows doesn't properly protect European Union citizens and should be suspended unless the United States complies with its terms, MEPs have said.

The Privacy Shield agreement, which aims to protect personal data transferred from the EU to the US, was set up after a legal challenge by privacy activist Max Schrems ruled its predecessor, Safe Harbor, invalid.

The new deal was agreed in summer 2016, and underwent its first annual review last September, when the European Commission deemed it adequate – despite raising a number of concerns.

These included vacant posts on the Privacy and Civil Liberties Oversight Board (PCLOB), the lack of a permanent ombudsman, the impact of US President Donald Trump's executive orders on immigration, and attitudes towards security and privacy.

However, almost a year later, MEPs on the civil liberties committee (LIBE) have warned that a number of issues are still not resolved – which they say means the US is not compliant with the terms of the deal, or EU data protection laws.

In a close-run vote last night – passed by 29 to 25, with three abstentions – the committee adopted a motion for a resolution that calls on the Commission to suspend the deal unless the US is compliant by 1 September.

"While progress has been made to improve on the Safe Harbor agreement, the Privacy Shield in its current form does not provide the adequate level of protection required by EU data protection law and the EU Charter," said Claude Moraes, chair of LIBE.

"It is therefore up to the US authorities to effectively follow the terms of the agreement and for the Commission to take measures to ensure that it will fully comply with the [General Data Protection Regulation]."

The committee also pointed out that both Facebook and Cambridge Analytica – the firms at the centre of the data scandal of the year – are both certified under the Privacy Shield.

It called on US authorities to act on these revelations "without delay", and "if needed, to remove such companies from the Privacy Shield list"; their EU counterparts should also investigate and, where appropriate, suspend or prohibit data transfers under the deal.

Similarly, the US Department of Commerce should carry out more proactive and regular compliance checks, to ensure that companies – which are allowed to self-certify – are falling in line with Privacy Shield.

Elsewhere in the motion, the committee did acknowledge that some progress had been made – for instance, the appointment of a chair for PCLOB – but noted that the delay had prevented the group from drawing up various reports.

They added that the delay in choosing an ombudsman "is not contributing to mutual trust" and said that the role's powers in relation to the intelligence community needed to be clarified.

Meanwhile, the group expressed regret that the US hadn't embedded Presidential Policy Directive 28 (PDF) – which states surveillance activities need to safeguard personal information regardless of where the person resides – into the Foreign Intelligence Surveillance Act when it was re-authorised at the end of last year.

It called for evidence ensuring that data collection under FISA 702 isn't indiscriminate and isn't conducted in a generalised, bulk manner – which would run against the EU Charter on Fundamental Rights.

The group also raised concerns that the US's new snooping law, the CLOUD (Clarifying Lawful Overseas Use of Data) Act – which obliges US companies to hand over content to authorities even if it is held on servers overseas – could conflict with EU data protection laws.

The committee said a "more balanced solution" would have been to strengthen existing Mutual Legal Assistance instruments, which the group said respect the laws of the country in which the data is located.

Moreover, the committee said US authorities should have provided the Commission with "timely and comprehensive" information about the new law, as it was relevant to the Privacy Shield, but failed to do so.

The motion is expected to be put to a vote in the full House in July. ®