The Par­lia­men­t’s Civil Lib­er­ties Com­mit­tee has adopted a res­o­lu­tion crit­i­cis­ing the Com­mis­sion’s EU-US Pri­vacy Shield. The res­o­lu­tion raises yet more ques­tions on whether the agree­ment is legally sus­tain­able.

24 March 2017 – On Thurs­day the Eu­ro­pean Par­lia­men­t’s Civil Lib­er­ties Com­mit­tee nar­rowly passed a res­o­lu­tion [PDF], with 29 votes to 25, high­light­ing MEPs’ con­cern with the EU-US Pri­vacy Shield; an agree­ment fa­cil­i­tat­ing com­mer­cial data trans­fers in com­pli­ance with EU data pro­tec­tion leg­is­la­tion be­tween the two re­gions fol­low­ing the de­ci­sion in 2015 of the Eu­ro­pean Court of Jus­tice in­val­i­dat­ing the pre­vi­ous agree­ment known as Safe Har­bour.

Af­ter the vote, Claude Moraes, the Civil Lib­er­ties Com­mit­tee Chair­man, said that “the Civil Lib­er­ties Com­mit­tee res­o­lu­tion adopted to­day sends a clear mes­sage that, while the Pri­vacy Shield con­tains sig­nif­i­cant im­prove­ments com­pared to the for­mer EU-US Safe Har­bour, key de­fi­cien­cies re­main to be ur­gently re­solved”.

The par­lia­ment res­o­lu­tion thus ac­knowl­edges sig­nif­i­cant im­prove­ments along with of­fer­ing scathing crit­i­cism of the new agree­ment. The lack of ef­fec­tive ju­di­cial re­dress for EU cit­i­zens in the US is among the is­sues high­lighted. Specif­i­cally, the res­o­lu­tion states that “nei­ther the Pri­vacy Shield Prin­ci­ples nor the let­ters of the U.S. ad­min­is­tra­tion pro­vid­ing clar­i­fi­ca­tions and as­sur­ances demon­strate the ex­is­tence of ef­fec­tive ju­di­cial re­dress rights for in­di­vid­u­als in the EU whose per­sonal data are trans­ferred to an U.S. or­gan­i­sa­tion un­der the Pri­vacy Shield Prin­ci­ples”.

The res­o­lu­tion also crit­i­cises the fact that “the Om­budsper­son mech­a­nism set up by the U.S. De­part­ment of State is not suf­fi­ciently in­de­pen­dent”. A sim­i­lar crit­i­cism of the om­budsper­son was pre­sented by na­tional data pro­tec­tion au­thor­i­ties through the Ar­ti­cle 29 Data Pro­tec­tion Work­ing Party in its re­port last year: “the WP29 is con­cerned that this new in­sti­tu­tion is not suf­fi­ciently in­de­pen­dent and is not vested with ad­e­quate pow­ers to ef­fec­tively ex­er­cise its duty and does not guar­an­tee a sat­is­fac­tory rem­edy in case of dis­agree­ment.”

The Par­lia­men­t’s res­o­lu­tion also crit­i­cised the Eu­ro­pean Com­mis­sion’s process when set­ting up the Pri­vacy Shield in that “the pro­ce­dure of adop­tion of an ad­e­quacy de­ci­sion does not pro­vide for a for­mal con­sul­ta­tion of rel­e­vant stake­hold­ers” and that the Com­mis­sion thereby also im­ple­mented the Pri­vacy Shield in a man­ner that “de facto has not en­abled the Par­lia­ment to ex­er­cise its right of scrutiny on the draft im­ple­ment­ing act”.

While the res­o­lu­tion has no le­gal im­pact on the EU-US Pri­vacy Shield agree­ment, it of­fers fur­ther ev­i­dence that the agree­ment may not be on as a safe foun­da­tion as the Com­mis­sion at­tempted to por­tray in its in­tro­duc­tion. The res­o­lu­tion is ex­pected to be fi­nalised by a full par­lia­ment vote in April.