The EU’s top privacy monitor blasted the still pending Privacy Shield agreement yesterday (30 May), dealing a blow to the European Commission-brokered data transfer agreement with the United States.
EU Data Protection Supervisor Giovanni Buttarelli said the agreement still needs “significant improvements”. Commission officials who worked on the deal will find that tough to swallow—they insist negotiations with the US are already over.
The watchdog’s opinion on Privacy Shield is not binding, but it does increase pressure on the Commission to make changes to the controversial deal.
The executive will likely not be able to significantly alter the agreement without starting up lengthier negotiations again.
Time is running out for the Juncker Commission to deliver a finished agreement by its own deadline. Justice Commissioner Vera Jourova and Digital Commissioner Günther Oettinger said previously that they want Privacy Shield to go into effect by the end of June.
Buttarelli warned that the agreement is “not robust enough” to survive a legal challenge like its predecessor Safe Harbour, which was ruled illegal by a bombshell European Court of Justice decision last October.
He also published a 16-page opinion detailing flaws in the new agreement, including six exceptions under US law that allow authorities to collect personal data in bulk. Those exceptions have been a sore point in the agreement. Several MEPs asked for tighter definitions in the 2014 Obama administration reform that limits bulk data collection to cases involving terrorism, espionage, cybersecurity, transnational crime, weapons of mass destruction or threats to the US military.
A senior US government official rejected criticism that those exceptions are too broad during a visit to Brussels earlier this year. “I think most people have an understanding of what terrorism is. Most people have an understanding of what is necessary for cybersecurity,” the official told journalists.
Buttarelli’s critique comes one week after the European Parliament passed a non-binding resolution asking the Commission to reopen negotiations with the US and fix a number of flaws in the agreement.
Buttarelli is also a member of the group of European data protection authorities who demanded improvements to Privacy Shield in April.
Jourova told MEPs last week that she wants the deal to be approved by summer, but the executive is still finalising details with US officials. A group of diplomats from EU member states have to give their approval before the agreement can go into effect. So far the group has meetings scheduled through until the end of June.