The non-binding act was approved by 501 votes to 119, plus 31 abstentions, on Thursday. Members of the European Parliament (MEPs) requested that the European Commission address the "deficiencies" in the new arrangement.
In particular, the resolution underlined how the agreement would allow US authorities to use bulk collection of EU citizens' data in "exceptional cases”, which is against the EU Charter of Fundamental Rights. It also highlighted that the US "ombudsperson" in charge of ensuring compliance with the treaty would not be independent or powerful enough, and that the current mechanism for compensation is not "user-friendly and effective."
The EU is still shell-shocked after the revelations made in 2013 by former security contractor Edward Snowden about the US's global surveillance program, which effectively spelt doom for Privacy Shield's predecessor data-transfer framework Safe Harbour.
The Safe Harbour scheme, approved in 2000, had established some key principles, with which American companies operating in Europe should comply to be allowed to transfer EU citizens' data back to the US.
In 2014, Austrian privacy activist Max Schrems lodged a complaint against Facebook's practice to transfer EU users' data to US servers. He pointed out that it was likely US law enforcement agencies would access data stored on US territory, and that the Safe Harbour arrangement had no mechanism to prevent that from happening.
In October 2015, the European Court of Justice agreed with Schrems and declared Safe Harbour invalid as "legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life."
Privacy Shield, agreed on last February but still to be enforced, was meant to fix this problem creating stricter rules for US companies handling personal data, stronger enforcing and monitoring mechanisms, and establishing specific criteria for US authorities to access EU personal data.
But some privacy activists — including Schrems — think the arrangement is not enough, a view that now is shared by the European Parliament, too.
The final say, though, will be the Commission's, which will have to decide on the privacy Shield agreement (and possible renegotiations) by the end of June.