European privacy watchdogs gave a damning verdict Wednesday (14 April) of the Privacy Shield, the draft deal for data transfers from the EU to the US, and warned the European Commission to shore up gaps in the new agreement on national security agencies.
National data protection authorities from EU countries said they see a “significant need for clarification” on exceptions in the agreement that allow US intelligence authorities to collect data in bulk.
The group also criticised the several new methods for people to file complaints about the security of their data once it has been transferred to the US.
“There are too many avenues for the end user to find the right interlocutor to go to,” said Isabelle Falque-Pierrotin, president of the group of privacy watchdogs and chief of the French authority CNIL. She added that the various options for presenting a privacy complaint are “too complex”.
At the end of February the European Commission published several written pledges between EU and US officials for a new data transfer agreement to replace the now infamous Safe Harbour agreement, which was ruled invalid by the European Court of Justice (ECJ) last October.
The privacy watchdogs’ opinion on Privacy Shield is not binding, but the Commission and member states will be under pressure to listen to the group’s complaints. National data protection authorities can suspend international data transfers and legislation in some countries allows them to bring the agreement to the ECJ.
But a group of representatives from EU member states does get to hold a binding vote on the agreement.
Commission officials want the Privacy Shield fully approved by June.
In a statement on Wednesday, EU Justice Commissioner Vera Jourova said the representatives from member states will decide on the deal in May.
One national representative who is taking part in the discussions said they were not informed that a date for the vote had been set. The group met for the first time last Thursday (7 April) and was notified this afternoon that its next meetings will take place on 29 April and 19 May.
Falque-Pierrotin declined to say whether the June deadline is realistic, given that member states can still demand changes in the agreement.
“Will it be June? September? We don’t know,” she said.
The watchdogs said that binding corporate rules and model contract clauses, the alternative legal tools that many companies switched to after Safe Harbour was knocked down in court, will remain valid for the time being.
But the group criticised the new ‘ombudsperson’ that will work out of the US Department of State to review privacy complaints.
“We don’t have enough security guarantees on the status of the Ombudsperson and on the effective powers on this Ombudsperson in order to be sure that this really is an independent authority,” Falque-Pierrotin said.
The group of watchdogs wants there to be clearer rules on what defines terrorism, espionage and cybersecurity, three of the six exceptions that warrant US authorities’ bulk collection of personal data.
Falque-Pierrotin said that the group acknowledges the “growing tendency to collect ever more data on a massive and indiscriminate scale in light of the fight against terrorism.”
But they want US and EU authorities to clearly outline when they’ll collect data relating to terrorism cases.
One official from the Dutch data protection authority’s office said those exceptions are “still very broadly defined and can’t count as targeted data collection. For us it’s still indiscriminate and massive data collection,” he said. “That’s not very specific.”
A senior US government official said during a visit to Brussels last month,“I think most people have an understanding of what terrorism is. Most people have an understanding of what is necessary for cybersecurity”.
Falque-Pierrotin balked at that claim.
“When you infringe data protection for legitimate purposes there needs to be a very clear legal framework,” she told euractiv.com today.
Jourova said in a statement that the watchdogs’ opinion contains “a number of useful recommendations and the Commission will work to swiftly include them in its final decision.”
But one national representative in the negotiating group that will vote on Privacy Shield said getting a clearer definition of when US authorities can access data to prevent terrorism would mean renegotiating the entire agreement.
“These were not questions of form but questions of substance. Any question of substance requires going back to the drawing board,” the official said.
The group is eager to approve the deal as soon as possible, but today’s reaction from the data protection authorities could prod the group of national representatives to ask for more changes.
Several data protection authorities said they expect the Commission may dismiss their demands and rush to get Privacy Shield approved to avoid renegotiating the entire agreement with US officials.
Companies are worried that the agreement may be delayed for months if the Commission demands US negotiators address all of the privacy watchdogs’ concerns. They argue that would keep them in legal limbo.
Wim Nauwelaerts, managing partner at law firm Hunton & Williams in Brussels said the group’s opinion is “basically sending the European Commission back to the drawing board on essential elements of the Privacy Shield.”
“The US authorities will probably not be keen to re-open negotiations on those elements. Even if they do, it looks unlikely that the Shield will be up and running early June, as initially projected by the Commission,” Nauwelaerts added.