The EU’s top privacy monitor blasted the still pending Privacy Shield agreement yesterday (30 May), dealing a blow to the European Commission-brokered data transfer agreement with the United States.
EU Data Protection Supervisor Giovanni Buttarelli said the agreement still needs “significant improvements”. Commission officials who worked on the deal will find that tough to swallow—they insist negotiations with the US are already over.
The watchdog’s opinion on Privacy Shield is not binding, but it does increase pressure on the Commission to make changes to the controversial deal.
The executive will likely not be able to significantly alter the agreement without starting up lengthier negotiations again.
Time is running out for the Juncker Commission to deliver a finished agreement by its own deadline. Justice Commissioner Vera Jourova and Digital Commissioner Günther Oettinger said previously that they want Privacy Shield to go into effect by the end of June.
Buttarelli warned that the agreement is “not robust enough” to survive a legal challenge like its predecessor Safe Harbour, which was ruled illegal by a bombshell European Court of Justice decision last October.
EU member states will start reviewing details of the EU-US Privacy Shield next month and are getting ready for “extremely complex” discussions before they approve the deal.
He also published a 16-page opinion detailing flaws in the new agreement, including six exceptions under US law that allow authorities to collect personal data in bulk. Those exceptions have been a sore point in the agreement. Several MEPs asked for tighter definitions in the 2014 Obama administration reform that limits bulk data collection to cases involving terrorism, espionage, cybersecurity, transnational crime, weapons of mass destruction or threats to the US military.
A senior US government official rejected criticism that those exceptions are too broad during a visit to Brussels earlier this year. “I think most people have an understanding of what terrorism is. Most people have an understanding of what is necessary for cybersecurity,” the official told journalists.
Buttarelli’s critique comes one week after the European Parliament passed a non-binding resolution asking the Commission to reopen negotiations with the US and fix a number of flaws in the agreement.
Buttarelli is also a member of the group of European data protection authorities who demanded improvements to Privacy Shield in April.
Jourova told MEPs last week that she wants the deal to be approved by summer, but the executive is still finalising details with US officials. A group of diplomats from EU member states have to give their approval before the agreement can go into effect. So far the group has meetings scheduled through until the end of June.
The European Parliament has asked the Commission to reopen negotiations with the United States and shore up gaps in the Privacy Shield agreement.
The US-EU Safe Harbour agreement allowed over 4,000 companies to transfer data from the EU to the US - provided the companies guaranteed the data's security abroad. EU law considers data privacy protections to be inadequate in the US. In October 2015, the European Court of Justice (ECJ) ruled Safe Harbour to be invalid on grounds that government surveillance in the US threatens the privacy of EU citizens' data, and that there is no judicial redress for EU citizens whose data is accessed by state surveillance agencies in the US.
Since the ECJ decision, EU and US negotiators have sped up their talks to strike a new data transfer agreement. European data protection authorities from the 28 EU member states met after the ECJ decision, and asked the Commission to come up with a new deal by the end of January 2016. The data protection authorities are tasked with investigating and deciding on privacy complaints in their own member states.
- Summer 2016: EU Justice Commissioner Vera Jourova wants member states to approve the Privacy Shield agreement
- European Data Protection Supervisor: opinion on Privacy Shield (30 May 2016)