European data regulators have criticised the Privacy Shield framework designed to protect the data of citizens that is transferred to the US. Regulators said that the latest revamp was still inadequate and could require further amendments to address the “bulk collection” of information.

The EU-US Privacy Shield was agreed earlier this year as a replacement for the EU-US Safe Harbour framework, which was ruled unlawful by a European court in 2015. The Article 29 Working Party, a pan-EU group for data protection, has now said that some aspects are still not good enough and fail to counter the possible collection of personal data from Europe.

The Working Party added that there had been significant improvements in some areas of the Privacy Shield, but concerns remained about the fact that public authorities such as US intelligence may still be able to access the huge bulk of data under the new agreement. It also said that there was a lack of clarity about automated processing of data.

“Because the Privacy Shield will also be used to transfer data outside the US, the Working Party insists that onward transfers from a Privacy Shield entity to third-country recipients should provide the same level of protection on all aspects of the Shield (including national security) and should not lead to lower, or circumvent, EU data protection principles,” the Working Party said in a statement.

The group’s opinions on Privacy Shield are not legally binding, but its concerns suggest that challenges to the agreement could be made in its current form. Deema Freij, Intralinks global privacy officer, added that the EC and US bodies must take the criticism seriously and make the necessary modifications during the coming months.

Despite concerns from regulators, tech giant Microsoft said earlier this week that the Privacy Shield was a “step in the right direction” for data legislation. The EU-US Privacy Shield aims to place stronger obligations on US companies to protect the flow of personal data from Europe, which would require them to self-certify that they meet the requirements on an annual basis, display privacy policies on their websites, reply to complaints and comply with EU authorities.