MEPs Call for Clarity on EU-US Data Transfers Over Privacy Fears

The lawmakers are debating the proposed text of the latest agreement with the US over the privacy of data related to EU citizens, held on US servers by multinational companies — called Privacy Shield.

The agreement has been under negotiation for months ever since the European Court of Justice ruled in October 2015 that the previous EU-US data agreement — Safe Harbor — was invalid. The issue arises from the strict EU laws — enshrined in the Charter of Fundamental Rights of the European Union — to the privacy of their personal data.

The Safe Harbor agreement was a quasi-judicial understanding that the US undertook to agree that it would ensure that EU citizens' data on US servers would be held and protected under the same restrictions as it would be under EU law and directives. The data covers a huge array of information — from Internet and communications usage, to sales transactions, import and exports.

The case arose when Maximillian Schrems, a Facebook user, lodged a complaint with the Irish Data Protection Commissioner, arguing that — in the light of the revelations by ex-CIA contractor Edward Snowden of mass surveillance by the US National Security Agency (NSA) — the transfer of data from Facebook's Irish subsidiary onto the company's servers in the US do not provide sufficient protection of his personal data.

"The Safe Harbor Decision denies the national supervisory authorities their powers where a person calls into question whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals," the court ruled that.

Devil in the Detail

The new proposed replacement — known as Privacy Shield — has been agreed after months of negotiation between the US and the EU and promises that: "for the first time, the US government has given the EU written assurance from the Office of the Director of National Intelligence that any access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms, preventing generalized access to personal data […] through an Ombudsperson mechanism within the Department of State, who will be independent from national security services."

However, lawmakers on the Civil Liberties, Justice and Home Affairs Committee in the European Parliament have called-in the details over fears Privacy Shield has been drafted too loosely and will not protect the personal data of EU citizens.

Speaking on the Commission's proposal, the committee chair Claude Moraes said:

"The new framework […] has no written text and my first concern is that it has too much in common with the previous Safe Harbor decision. The announcement does not indicate any measures which are legally binding on either party, but relies on 'declaration' by the US authorities on their interpretation of the legal situation regarding surveillance by the US intelligence services.

"Another key concern is that the creation of an Ombudsman which could be a positive step forward in assessing the complaints of citizens does not seem to be underpinned in the current statement by sufficient legal powers," he said.