A major technology industry association has lashed out at national data protection regulators for a critical report on the EU’s privacy shield data agreement with the United States.
DigitalEurope, a lobby group that represents tech firms including Google, Amazon and Microsoft, sharply criticised a group of national privacy authorities from EU countries, who threatened to file lawsuits that could topple the deal.
The regulators warned that they may take legal action if the US government does not add tighter data protection safeguards to the agreement by May 2018.
Cecilia Bonefeld-Dahl, the director of DigitalEurope, said on Wednesday (6 December) that if the watchdogs “believe the Commission is mistaken in its assessment” from September to continue the privacy shield agreement, “then we call on them to roll up their sleeves and join their colleagues on both sides of the Atlantic in improving its implementation and enforcement, as opposed to acting as disinterested observers”.
In September, the Commission named a list of improvements it wants the US government to make to the one-year-old agreement. But the EU executive said that EU citizens’ data is protected when companies transfer it to the US using the deal.
So far, more than 2,000 companies have signed up to the privacy shield agreement, which allows them to move commercial data from the EU to the US if they guarantee they will uphold consumes’ privacy. It is a tailor-made deal that officials from the European Commission and the US Department of Commerce discussed for almost three years.
Privacy shield makes it easier for companies to operate in both the US and the EU: there can be no blanket data transfers from the EU to the US without the deal because American laws do not meet the strict EU data protection standards.
DigitalEurope’s rebuke of the national watchdogs marks a sharpening of the tech industry’s critique of how the agreement is monitored.
The Commission is the only EU body responsible for negotiating privacy shield with the US government, but national data protection authorities have power to stop the deal. They can file lawsuits against the agreement if they determine that EU citizens’ data is no longer protected when it travels to servers in the US.
Tech companies have argued that privacy shield is the channel for billions of euros in transatlantic trade, and that authorities should protect it from any legal action that could cause it to be repealed.
In the report they published on Tuesday, the national data protection authorities made it clear that they have already discussed legal action against privacy shield.
The watchdogs said the Commission should “restart discussions” with the US. They warned that if the US government does not make a number of changes by 25 May 2018, they will “take appropriate action, including bringing the Privacy Shield Adequacy decision to national courts”, which could then be sent to the European Court of Justice.
Such a step could spell the end of the data transfer deal: in 2015, the ECJ ruled that the predecessor to privacy shield, the EU-US safe harbour agreement, was illegal. After that decision, companies scrambled to find alternative legal methods to keep transferring consumer data out of the EU.
Watchdogs from EU countries said in the report that the US government must by next May appoint an independent ombudsperson, an official who will oversee consumers’ complaints. Negotiators agreed in 2016 that the new position would be set up in the US Department of State. The Trump administration has not yet named a permanent official for the job.
National data protection authorities also want rules on how privacy shield operates to be declassified by next May.
A Commission spokesman said that the watchdogs’ report “confirms the relevance of the Commission’s recommendations for further improvements”.
The Commission has also criticised the Trump administration for failing to appoint an ombudsperson, but did not set a strict deadline for filling the role.
“The Commission has already started the process of working with the US administration to address the concerns. Commissioner Jourová sent letters to US Secretaries Ross, Sessions and Tillerson urging them to do the necessary improvements, including on the Ombudsman, as soon as possible,” the spokesman said, referring to US Secretary of Commerce Wilbur Ross, whose department oversees the privacy shield agreement, Attorney General Jeff Sessions and Secretary of State Rex Tillerson.
EU officials are in discussions with their US counterparts ahead of the second annual review of the privacy shield agreement, which is expected to take place in autumn 2018.
The expected timing of the meeting means that the privacy shield agreement could face lawsuits in Europe if the US government does not appoint an ombudsperson and meet the European data protection authorities’ other demands before officials gather again for a second official review.