Privacy Shield fails to gain approval, what now?
European data protection watchdog group says new agreement does not provide enough reassurance over US spying
The new Privacy Shield data sharing agreement between the United States and the European Union has failed to gain the public backing of a key European data protection group.
This is not unexpected after a leak last week suggested that the European Data Protection Authorities (the so called “Article 29 Working Party” or WP29) – composed of watchdogs from influential member states – was not happy with the new agreement as they considered it inadequate in a number of key areas.
Inadequate Safeguards
The new transatlantic Safe Harbour 2.0 agreement (or the EU-US Privacy Shield as it is also known) had been finally agreed in early February to replace the previous Safe Harbour legislation that was ruled invalid by Europe’s top court on 6 October last year.
The new deal is designed to help firms on both sides of the Atlantic to move the personal data of European citizens to the United States without breaking strict EU data transfer rules. The European Commission (EC) published the details of the deal in late February, and the WP29 promised it would take a couple of months to examine the agreement.
But now after months of consideration, the WP29 has warned of a number of concerns with the pact.
These concerns centre on the independence of a new US privacy ombudsman, as well as the need for more reassurance over US surveillance practices.
Isabelle Falque-Pierrotin, chair of the group of 28 data protection authorities, was quoted by Reuters as saying that an area of concern was “the possibility that is left in the Shield … for bulk collection which if massive and indiscriminate is not acceptable.”
The US government had sought to explain the limits and safeguards of the new agreement, but it emerged that US agencies can still collect European data in bulk and use it for six different purposes, including counterterrorism or cybersecurity.
“We think they are still very broadly defined and can’t count as targeted data collection, so for us it’s still indiscriminate and mass data collection,” Paul Breitbarth of the WP29 was quoted as saying.
Falque-Pierrotin meanwhile also expressed doubts about the effective powers and independence of the US ombudsman who will deal with EU complaints about US surveillance practices.
“We don’t have enough security guarantees in the status of the ombudsperson and in the effective powers of this ombudsperson in order to be sure that this is really an independent authority,” Falque-Pierrotin reportedly said.
It should be noted that the opinion of WP29 is not legally binding and it has no powers to block the new deal.
However, its opinion is considered to be influential, and the European Commission had hoped to include the regulators’ recommendations in the final decision, which it hopes to adopt in June.
Just Sign It
The WP29 judgement has divided opinion in the tech industry and will pose yet more uncertainties for businesses, especially since they could potentially face legal action over the matter.
Earlier this week, Microsoft came out in support of Privacy Shield, calling the new scheme a “step in the right direction”.
And the Information Technology and Innovation Foundation (ITIF) said it was “disappointed” the WP29 had not backed the agreement.
“We are disappointed that the Article 29 Working Party has not affirmed the adequacy of the EU-US Privacy Shield Framework negotiated between the European Commission and the US Department of Commerce,” said ITIF Vice President Daniel Castro.
“The new agreement offers a host of new protections, obligations and opportunities for redress that affirm the commitment of the US government to safeguard European data and respect the rights of European citizens,” said Castro. “Moreover, the agreement has achieved widespread support on both sides of the Atlantic from many policy-makers, businesses and advocacy groups for offering an opportunity to move forward after the European Court of Justice invalidated the Safe Harbor agreement in the Schrems decision.”
It said that a prolonged climate of regulatory uncertainty places unnecessary strain on the digital economy, and would hurt businesses, workers and consumers.
“…given the crucial importance of transatlantic data flows to the global digital economy, the national data protection authorities should not try to hold the digital economy hostage to extract further tweaks to the agreement,” said ITIF’s Castro. “We urge the European Commission to affirm the adequacy of the Privacy Shield Framework.”
Amendments Likely
Despite that, some analysts don’t believe the Privacy Shield agreement will go ahead without further amendments.
“The Article 29 Working Party … has sent the European Commission (EC) back to the drawing board on the Privacy Shield,” said Luca Schiavoni, senior analyst, regulation at analyst firm Ovum.
“Tech companies have eagerly awaited this agreement since the demise of Safe Harbor,” said Schiavoni. “Since the EC announced the key points of its deal with the US authorities, concerns have emerged about certain aspects, such as the many exceptions under which the bulk use of personal data could still be possible for US authorities.
“There are also concerns that the powers and independence of the ombudsperson, which should ensure that EU citizens have the ability to seek redress in cases of privacy breaches, are not clearly defined and guaranteed.”
Schiavoni pointed out that while WP29 has no legal say on the matter, the EC would be worried about building a framework that could face a legal challenge.
“If the European Court of Justice finds that the flaws of Safe Harbor have not been addressed in the Privacy Shield agreement, it will not hesitate to strike the latter down too,” said Schiavoni. “Companies affected by this agreement should prepare to face more uncertainty, because the deal is likely to undergo further amendments before it is finalised.
The WP29 meanwhile has urged the Commission to review the Shield in two years time, when a stricter European data protection law comes into force.
Member states also still have to approve the framework before it is formally adopted by the Commission.