Members of the European Parliament’s civil liberties, justice and home affairs committee (LIBE) narrowly voted Thursday to support a resolution declaring Privacy Shield to be inadequate.

The trans-border data transfer framework, drawn up by the European Commission with the U.S. Department of Commerce after the European Court of Justice ruled its predecessor, Safe Harbor, invalid in 2015, has faced constant criticism. However, there are those, even within the Parliament, who support the current deal and the committee was split along political lines.

The vote on the text was 29 in favor, 25 against, with one abstention.

The final text of the resolution lists a range of deficiencies in the Privacy Shield agreement and calls on the Commission to thoroughly examine them in its first annual review expected this summer.

The final text of the resolution lists a range of deficiencies in the Privacy Shield agreement and calls on the Commission to thoroughly examine them in its first annual review expected this summer.

Among the shortcomings listed is the fact that Privacy Shield is a self-certification scheme and so does not apply to all U.S. companies, and even those companies that do sign up use U.S.-based private arbitrators, which makes it difficult for EU citizens to get redress if their data is misused.

Just how difficult that is remains to be seen. As reported by The Privacy Advisor recentlyno one is complaining!

MEPs from the left had wanted Privacy Shield to be declared “un-Schrems-proof,” saying in other words that it would not stand up to the ruling given by the European Court of Justice last year on Safe Harbor. They wanted the Commission to fully renegotiate the deal before the General Data Protection Regulation is applied in May 2018, or to repeal it altogether. However members of the European People’s Party and the European Conservatives and Reformists voted against this.

Although the resolution says that Privacy Shield provides for “clearer data protection standards” than Safe Harbor, that does not necessarily mean “better.”  The resolution text points out that there is still no definition of “bulk surveillance” and stresses that any form of mass surveillance is in breach of European law. Privacy Shield permits bulk in six cases.

Chair of the LIBE committee Claude Moraes told The Privacy Advisor that the Commission needs to conduct a proper assessment. “Both citizens and tech companies relying on transatlantic data flows need the certainty of a robust legal framework,” he said.

“The European Parliament has consistently called for a stronger agreement following the invalidation of the Safe Harbor framework in October 2015. The final agreement on Privacy Shield took a number of our concerns into consideration, but nevertheless several remain to be resolved,” he added.

In the resolution, MEPs say they are alarmed that, two years after the Snowden revelations, mass surveillance of a communications provider was still being carried out by U.S. authorities — details emerged in October that Yahoo had created software to scan users’ email at the behest of the National Security Agency (NSA) or FBI. The LIBE MEPs “therefore strongly doubts the assurances of the U.S. Director of National Intelligence in the Privacy Shield context.”

The resolution also expresses concern about new U.S. procedures allowing the NSA to share raw SIGINT data with 16 other agencies without court order and requests the Commission to immediately assess the implications for Privacy Shield.

“The Privacy Shield does not do what the European Commission promises,” said Green MEP Jan Philipp Albrecht. “It is also probable that the Commission’s decision will not be upheld before the European Court of Justice. I welcome the fact that the last word on data transfer to the U.S. will be with the EU data protection authorities, so, for example, the Irish Data Protection Authority could forbid Facebook to disclose personal data to the U.S. and protect users from being spied on by the NSA.”

The resolution is now expected to be voted on by the European Parliament as a whole in the first week of April.