MEPs: 'Mass surveillance' still possible under US privacy deal

However, this deal has repeatedly received criticism from civil society and MEPs, who believe European citizens' rights might be not fully protected.

"We have raised our concerns with US authorities regarding the remaining deficiencies with the EU-US privacy shield," said the chair of LIBE and head of the delegation, MEP Juan Fernando López Aguilar.

"More needs to be done to provide the adequate level of data protection for EU citizens," he warned.

Last October, the European Commission gave the greenlight to the agreement in its third annual review, while ensuring that it was necessary to have a mechanism in place to protect EU citizens when their data was transferred to the US.

However, the majority of MEPs who travelled to the US (23-28 February) to assess the state of play of deal remain sceptical.

"Every review that was undertaken by the commission since 2017 revealed serious deficiencies. Despite some improvements in certain areas the main questions have not been solved, for example how to protect EU citizens from mass surveillance," said socialist MEP Birgit Sippel.

"Any EU decision has to protect the essence of the right to the protection of personal data and privacy, but I have serious doubts that this is the case for the shield," she added.

Calls for suspension

In June 2018, the parliament called on the commission to suspend the EU-US data transfer pact - something that might happen due to the so-called "Schrems II" and "La Quadrature de Net" ongoing cases before the European Court of Justice.

According to German MEP Patrick Breyer (Greens/EFA), the EU-US privacy shield does not provide adequate protection for EU citizens because "it does not even attempt to prevent mass surveillance".

Similarly, the socialist MEP Marina Kaljurand believes that there are still "significant legal questions" about this agreement, including the risk of bulk data collection, the safety of onward transfers to third countries or the lack of having an effective "judicial remedy."

Kaljurand also said that there have been some positive steps since 2018, which include the appointment of the ombudsperson and an increase in random checks.

However, the European Data Protection Board does not consider the 'ombudsperson mechanism' to be equal to an effective judicial remedy, an open question to be answered by the Court of Justice of the European Union. (EUCJ)

"One part is crystal clear. We - the EU and the US - need an effective and efficient mechanism for the exchange of personal data based on international law and GDPR," Kaljurand told EUobserver.

Cambridge Analytica example

In 2018, it was reported how Facebook profiles were harvested by London-based elections consultancy Cambridge Analytica without users' consent and used for political advertising.

Facebook, a signatory to the privacy shield, confirmed that 2.7m European citizens' profiles were among those improperly used by Cambridge Analytica.

The same year, the parliament approved a resolution which stressed that the Cambridge Analytica scandal "highlights the need for proactive oversight and enforcement actions with systematic checks of the practical compliance of privacy policies with the privacy shield principles".

Following Facebook's non-compliance with the privacy shield, the delegation of MEPs who recently assessed the agreement regretted that the EU did not impose a fine on Facebook.

According to Estelle Massé from NGO Access Now, "by maintaining the privacy shield, the commission weakens Europe's data protection framework and risks undermining its global leadership role in advancing human rights".