European privacy watchdogs have received “a few” complaints about the privacy shield data transfer agreement with the United States since it was brokered one year ago, the EU’s top privacy advocate said in an interview.
A group of data protection authorities from EU member states will meet later this month to prepare for a first review of the agreement in Washington, in what will be a make-or-break check on whether President Donald Trump’s administration will stick to the agreement.
A handful of the watchdogs will fly to Washington for the two-day review starting on 18 September, along with a number of experts from the European Commission.
European Data Protection Supervisor Giovanni Buttarelli will not be part of the delegation, but will send another privacy specialist from his office.
Since the Commission sealed the privacy shield agreement in summer 2016 with officials from former President Barack Obama’s administration, almost 3,000 companies have signed up to “self-certify” that they comply with the programme’s safeguards – allowing them to transfer consumers’ personal data from the EU to the US.
The arrangement is a tailor-made fix to keep up data flows to the US, even though American data protection rules don’t meet the EU’s privacy standards.
Privacy campaigners already filed two complaints against privacy shield at the European Court of Justice last year. The threat to the agreement is real. In 2015, the court ruled its predecessor, the EU-US safe harbour agreement, illegal. Hearings on the two pending cases have not started yet.
Buttarelli claims that the EU data protection supervisor has “always” predicted the court’s rulings on privacy cases. The office was set up in 2004 and he was made its chief in 2014.
“We can say, ‘We told you so,’” Buttarelli said.
He declined to say whether the court will knock down privacy shield, but insisted that regardless of what the EU delegation decides next month—it could suspend the deal if EU officials determine that the US is not following the rules—the agreement should only be temporary.
“In my view it’s an interim instrument for the short term. Something more robust needs to be conceived,” Buttarelli said.
“We should work in two tracks, the short period provided we satisfy the conditions. And the long one,” he added.
A strict new data protection law is set to go into effect in the EU next year, which Buttarelli says will require even tougher standards for digital trade with countries outside the bloc. That could mean that the EU must require those countries to have clearer cut data protection laws before signing any deal allowing its citizens’ data to be moved abroad, he said.
One hard-fought guarantee in privacy shield is a promise that US intelligence agencies will not spy on European data in “bulk” unless that is required for specific security purposes. But that safeguard is not written into US law.
Buttarelli called it “surprising” that nearly seven months after taking office, the Trump administration has still not appointed a permanent “ombudsperson” to oversee citizens’ complaints about the privacy shield, or appointed new members to the Privacy and Civil Liberties Oversight Board, a government body that monitors whether security measures restrict privacy.
Claude Moraes, a British Socialist MEP who visited Washington in June with a European Parliament delegation, said after he returned from the trip that there are still a number of problems in the deal that should be addressed “immediately”.
Earlier this year, EU Justice Commissioner Věra Jourová still showed patience with the Trump administration’s slow start to administering the agreement. While the administration hasn’t appointed an ombudsperson in the State Department to oversee the deal, there are still thousands of unfilled jobs in the State Department, Jourová assured MEPs in April.
For some in the EU delegation, patience may be running thin.
“I understand that in the US they have many other problems in this new administration, so privacy and data protection are not necessarily a priority. But if we look at the strategic dimension and what it means internationally speaking, they should realise that it should now be a priority,” Buttarelli said.
“It’s surprising that the biggest country in the world in terms of IT, in terms of democracy, still builds on an approach which is now objectively speaking not fit for the big data world,” he added, referring to the lack of broad data protection laws applying to different business sectors in the US.
US government surveillance was one of the thorniest issues that dragged out negotiations over privacy shield, when EU officials in charge of sealing the agreement struggled to secure guarantees from the Obama administration last year.
Buttarelli said the complicated negotiations over privacy shield could become a cautionary tale. He warned that the United Kingdom could face similar negotiations if it leaves the EU internal market after Brexit, which is expected in 2019.
“The worst scenario is that they’ll just be a member of the EFTA area [and leave the single market], in which case the whole system will be scrutinised, including intelligence, like we did for the US. Here is where we may have some interesting developments,” he said.
“That means complexity,” he added.