EU member states will start reviewing details of the EU-US Privacy Shield next month and are getting ready for “extremely complex” discussions before they approve the controversial data transfer deal.
National officials will meet for the first time on 7 April to assess the new agreement. While they can make changes, their approval of the deal is needed for it to go into effect.
One EU official who will take part in the negotiations said it’s unclear how many meetings the committee will hold but he expected their review would “take some time”.
EU officials told EurActiv that they are trying to find out whether the agreement will need to be sent back to US negotiators for another round of approval if they make drastic changes.
European Digital Commissioner Günther Oettinger said earlier this week that the Commission wants the deal to go into effect by June. But member states and national data protection authorities have yet to come out with their positions.
Commission and US negotiators struck a deal in early February on the new agreement that will allow companies that sign up to transfer personal data from the EU to the US. Privacy Shield will replace the 15 year-old Safe Harbour agreement that was toppled by the European Court of Justice last October on grounds that EU citizens’ data could too easily be accessed by intelligence agencies once it’s transferred to the US.
On 12-13 April, one week after the national government officials start negotiating on the agreement, privacy watchdogs from EU member states are set to issue their own opinion on the new agreement.
Speaking at a European Parliament Civil Liberties, Justice and Home Affairs (LIBE) Committee meeting yesterday (17 March), Isabelle Falque-Pierrotin, chair of the group of data protection authorities, said the watchdogs are wary of the deal because it doesn’t set a limit to how long companies can store data after transferring it to the US.
“We feel there is an absence of rules about data retention in the Privacy Shield,” Falque-Pierrotin told the committee.
Data retention was ruled illegal in the EU by a 2014 ECJ decision.
A senior US government official told journalists following the committee meeting that there is no “explicit call for deletion of data at a certain point.”
The data protection authorities’ opinion isn’t binding, but since they will investigate privacy complaints and can potentially stop data transfers to the US, their position carries political weight.
While EU officials gear up for the final stretch of talks before Privacy Shield is approved, US negotiators spent this week in Brussels to promote the agreement.
Robert Litt, the top legal councillor to the US intelligence committee, met privately with MEPs this week.
Ted Dean and Justin Antonipillai of the US Department of Commerce, which manages the agreement in the US, helped Commission officials defend the deal to a room of concerned MEPs at yesterday’s LIBE committee meeting. Max Schrems, the Austrian lawyer who filed the complaint that brought down the Safe Harbour agreement, also spoke at the meeting.
European Commission and EU officials promised that privacy complaints would be addressed without interference from the US government and vowed that the entire Privacy Shield agreement would not be threatened when a new US president takes office.
They also cited a 2014 Obama administration reform that ruled out intelligence agencies’ bulk collection of personal data. But that reform includes six exceptions when data can be collected in bulk, including to gather information relating to terrorism, cybersecurity and espionage.
German S&D MEP Birgit Sippel (SPD) questioned whether those exceptions would satisfy the ECJ’s October verdict on Safe Harbour, which called mass surveillance illegal.
“To me this does not exclude the possibility of bulk collection of personal data,” Sippel said.
Following the committee meeting, a senior US government official rejected criticism that the six exceptions might be too broad.
“I think those are reasonably concrete and specific,” the US official told reporters.
“I think most people have an understanding of what terrorism is. Most people have an understanding of what is necessary for cybersecurity,” the official added.
A source representing an EU member state in the negotiating committee set to meet next month said he would like the agreement to include more details outlining when EU citizens’ data can be collected in bulk once it is transferred to the US.
The US-EU Safe Harbour agreement allowed over 4,000 companies to transfer data from the EU to the US - provided the companies guaranteed the data's security abroad. EU law considers data privacy protections to be inadequate in the US. In October 2015, the European Court of Justice (ECJ) ruled Safe Harbour to be invalid on grounds that government surveillance in the US threatens the privacy of EU citizens' data, and that there is no judicial redress for EU citizens whose data is accessed by state surveillance agencies in the US.
Since the ECJ decision, EU and US negotiators have sped up their talks to strike a new data transfer agreement. European data protection authorities from the 28 EU member states met after the ECJ decision, and asked the Commission to come up with a new deal by the end of January 2016. The data protection authorities are tasked with investigating and deciding on privacy complaints in their own member states.
- 7 April 2016: Officials EU member states meet to start assessment of Privacy Shield, which will ultimately lead to a binding decision.
- 12-13 April 2016: EU national data protection authorities meet in plenary session and issue a non-binding opinion on Privacy Shield.
- June 2016: European Commission aims to have Privacy Shield in effect
European Commission: EU-US Privacy Shield agreement (29 February 2016)