The European Parliament passed a resolution yesterday demanding that the European Commission and the US renegotiate the draft Privacy Shield framework, the new legislation designed to replace the defunct Safe Harbour EU-US data transfer mechanism.
Parliamentarians voiced concern about "deficiencies" in the proposed legislation concerning the US authorities' access to EU citizens' data, and the possibility of bulk data collection.
MEPs said that this does not meet the criteria of "necessity" and "proportionality" laid down in the EU Charter of Fundamental Rights.
The proposed US ombudsman role was criticised for being insufficiently independent of the US government and lacking "adequate powers to effectively exercise and enforce its duty".
MEPs said that the redress mechanism for individuals whose personal data privacy has been breached needs to be more user friendly.
The Article 29 Working Party, an umbrella group of EU national data protection authorities, said in April that Privacy Shield is an improvement on Safe Harbour but still not good enough.
The group also pointed to the redress mechanism in particular as unlikely to be effective.
The Parliament's resolution was passed by 501 votes to 119 with 31 abstentions. It is not binding, but it is likely that the EC's negotiators and US representatives will need to meet once again to iron out the perceived deficiencies if Privacy Shield is to avoid problems in the future.
Data protection lawyers have warned that if the new data transfer mechanism is not sufficiently robust it will need to be renegotiated in 2018 when the new General Data Protection Regulation becomes law.
Other transatlantic data transfer mechanisms deployed by US companies like Facebook, Amazon and Google are also under pressure. Irish data protection authorities have warned that model contract clauses are potentially in breach of EU regulations.
The Irish authorities have suggested that the European Court of Justice (ECJ), the same body that invalidated Safe Harbour, should look into the matter.
Illegal model clauses would spark an "Armageddon of global data flows", Eduardo Ustaran, partner at law firm Hogan Lovells, told the Financial Times.
Max Schrems, the Austrian law student whose case against Facebook brought about the demise of Safe Harbour, said: "If model contract clauses go, it will be huge for all the industry.
"There's no way that the ECJ can say that model contract clauses are valid if they killed Safe Harbour on the same grounds. Everyone in the room knows model contract clauses are a shaky thing, but it was the best they had so far."
Just spent a year working on them? Too bad, Intel's lost interest
Sony factory in Wales now making 100,000 Raspberry Pis every week
38-year-old Alexander Vinnik faces up to 55 years in jail
Threadripper also available from today if you want a lot more power - but you'll have to wait for the motherboards to appear