EU privacy watchdogs have slammed the Privacy Shield transatlantic data transfer agreement, saying that while the successor to Safe Harbour is a step in the right direction, changes need to be made to the pact.
The Article 29 Data Protection Working Party has demanded changes to the Privacy Shield agreement, introduced to replace Safe Harbour and to set out stronger obligations on US companies to protect the personal data of Europeans.
The panel of EU privacy watchdogs recommended revisions to a number of points in the proposed agreement, with concerns ranging from the complexity of the agreement, to the lack of revision mechanism to deal with the introduction of the General Data Protection Regulation in 2018.
However, the major concern centred on US data collection of EU citizens, with the Working Party concerned over the ‘massive and indiscriminate’ bulk collection of citizen data. The privacy watchdog also took issue with the proposed ‘ombudsperson’ function which would give EU citizens a supposed straight forward way in which to complain about data misuse.
Raising the question over how much power the US official would actually have, Isabelle Falque-Pierrotin, the chairwoman of the Working Party, said: "We believe that we don’t have enough security [or] guarantees in the status of the ombudsperson and in their effective powers to be sure that this is really an independent authority."
The news of the Working Party’s failure to endorse the Privacy Shield agreement has been met with criticism from numerous data protection experts, with Phil Lee, protection partner at European law firm Fieldfisher, summing up the news as ‘transatlantic chaos’ and only serving to further leave US businesses in data limbo.
"The Working Party’s opinion today can really be summed up in two words: transatlantic chaos. If the Privacy Shield doesn’t get adopted, countless US businesses will be left scratching their heads in wonder as to how they can continue to service their EU customers lawfully."
"The Working Party’s opinion creates a real problem for the Commission. Does it go against the view of the Working Party and adopt the Privacy Shield anyway? Or does it go back to the drawing board with the US Department of Commerce and try to negotiate a better deal?" Lee said.
This opinion was shared by the ITIF, a technology policy think-tank, whose Vice President Daniel Castro stressed the importance of getting businesses out of the aforementioned data limbo. Urging the European Commission to affirm the adequacy of the Privacy Shield Framework, he said:
"While members of the Article 29 Working Party should continue to offer suggestions on how to strengthen this agreement — and there are opportunities for improvement — the opportunity for improvement should not preclude official approval of the agreement.
"A prolonged climate of regulatory uncertainty places unnecessary strain on the digital economy, hurting businesses, workers, and consumers. Moreover, there will be many opportunities to build on the initial the Privacy Shield Framework, as all parties involved have already agreed to meet at least annually to how to further improve the functioning, implementation, supervision, and enforcement of the framework.
"But given the crucial importance of transatlantic data flows to the global digital economy, the national data protection authorities should not try to hold the digital economy hostage to extract further tweaks to the agreement."
However, the campaigner behind the challenging of Safe Harbour – Max Schrems – welcomed the Working Party’s criticism of Privacy Shield. Doubting that the European Commission will make any noticeable revisions and will push through the agreement anyway, he said:
"Given the negative opinion, a challenge to the Privacy Shield at the courts is even more promising. Privacy Shield is a total failure that is kept alive because of extensive pressure by the US government and some sectors of the industry."
