European privacy watchdogs gave a damning verdict Wednesday (14 April) of the Privacy Shield, the draft deal for data transfers from the EU to the US, and warned the European Commission to shore up gaps in the new agreement on national security agencies.
National data protection authorities from EU countries said they see a “significant need for clarification” on exceptions in the agreement that allow US intelligence authorities to collect data in bulk.
The group also criticised the several new methods for people to file complaints about the security of their data once it has been transferred to the US.
“There are too many avenues for the end user to find the right interlocutor to go to,” said Isabelle Falque-Pierrotin, president of the group of privacy watchdogs and chief of the French authority CNIL. She added that the various options for presenting a privacy complaint are “too complex”.
At the end of February the European Commission published several written pledges between EU and US officials for a new data transfer agreement to replace the now infamous Safe Harbour agreement, which was ruled invalid by the European Court of Justice (ECJ) last October.
The privacy watchdogs’ opinion on Privacy Shield is not binding, but the Commission and member states will be under pressure to listen to the group’s complaints. National data protection authorities can suspend international data transfers and legislation in some countries allows them to bring the agreement to the ECJ.
But a group of representatives from EU member states does get to hold a binding vote on the agreement.
Commission officials want the Privacy Shield fully approved by June.
In a statement on Wednesday, EU Justice Commissioner Vera Jourova said the representatives from member states will decide on the deal in May.
One national representative who is taking part in the discussions said they were not informed that a date for the vote had been set. The group met for the first time last Thursday (7 April) and was notified this afternoon that its next meetings will take place on 29 April and 19 May.
Falque-Pierrotin declined to say whether the June deadline is realistic, given that member states can still demand changes in the agreement.
“Will it be June? September? We don’t know,” she said.
The watchdogs said that binding corporate rules and model contract clauses, the alternative legal tools that many companies switched to after Safe Harbour was knocked down in court, will remain valid for the time being.
But the group criticised the new ‘ombudsperson’ that will work out of the US Department of State to review privacy complaints.
“We don’t have enough security guarantees on the status of the Ombudsperson and on the effective powers on this Ombudsperson in order to be sure that this really is an independent authority,” Falque-Pierrotin said.
The group of watchdogs wants there to be clearer rules on what defines terrorism, espionage and cybersecurity, three of the six exceptions that warrant US authorities’ bulk collection of personal data.
Falque-Pierrotin said that the group acknowledges the “growing tendency to collect ever more data on a massive and indiscriminate scale in light of the fight against terrorism.”
But they want US and EU authorities to clearly outline when they’ll collect data relating to terrorism cases.
One official from the Dutch data protection authority’s office said those exceptions are “still very broadly defined and can’t count as targeted data collection. For us it’s still indiscriminate and massive data collection,” he said. “That’s not very specific.”
A senior US government official said during a visit to Brussels last month,“I think most people have an understanding of what terrorism is. Most people have an understanding of what is necessary for cybersecurity”.
Falque-Pierrotin balked at that claim.
“When you infringe data protection for legitimate purposes there needs to be a very clear legal framework,” she told euractiv.com today.
Jourova said in a statement that the watchdogs’ opinion contains “a number of useful recommendations and the Commission will work to swiftly include them in its final decision.”
But one national representative in the negotiating group that will vote on Privacy Shield said getting a clearer definition of when US authorities can access data to prevent terrorism would mean renegotiating the entire agreement.
“These were not questions of form but questions of substance. Any question of substance requires going back to the drawing board,” the official said.
The group is eager to approve the deal as soon as possible, but today’s reaction from the data protection authorities could prod the group of national representatives to ask for more changes.
Several data protection authorities said they expect the Commission may dismiss their demands and rush to get Privacy Shield approved to avoid renegotiating the entire agreement with US officials.
Companies are worried that the agreement may be delayed for months if the Commission demands US negotiators address all of the privacy watchdogs’ concerns. They argue that would keep them in legal limbo.
Wim Nauwelaerts, managing partner at law firm Hunton & Williams in Brussels said the group’s opinion is “basically sending the European Commission back to the drawing board on essential elements of the Privacy Shield.”
“The US authorities will probably not be keen to re-open negotiations on those elements. Even if they do, it looks unlikely that the Shield will be up and running early June, as initially projected by the Commission,” Nauwelaerts added.
German federal data protection authority Andrea Voßhoff: "In order to avoid another failure before European courts, the Commission is obligated to take up necessary adjustments to the adequacy decision in its negotiations with the US, considering the the concerns and open questions raise by the Article 29 group's opinion."
Christian Borggreen, director of the Brussels office for tech and internet industry lobby group CCIA: “Europe’s economy depends on information sharing with the world. We encourage Member States to adopt the Privacy Shield without delay to provide legal clarity for thousands of European and U.S. companies and consumers.”
Software lobby group Business Software Alliance (BSA): "BSA does not, however, fully share the views expressed by the Article 29 Working Party. In particular, we believe the new privacy safeguards that were recently introduced into US law as well as in the Privacy Shield itself allow for a finding of essential equivalence between the EU and US regimes."
Monique Goyens, director general of the European Consumer Organisation (BEUC): "The Commission must heed this call from Europe’s data protection supervisors who basically give the Privacy Shield in its current version their thumbs down. European consumers expect their rights to be upheld. Too much time has passed already since the European Court struck down the Privacy Shield’s predecessor Safe Harbor."
The US-EU Safe Harbour agreement allowed over 4,000 companies to transfer data from the EU to the US - provided the companies guaranteed the data's security abroad. EU law considers data privacy protections to be inadequate in the US. In October 2015, the European Court of Justice (ECJ) ruled Safe Harbour to be invalid on grounds that government surveillance in the US threatens the privacy of EU citizens' data, and that there is no judicial redress for EU citizens whose data is accessed by state surveillance agencies in the US.
Since the ECJ decision, EU and US negotiators have sped up their talks to strike a new data transfer agreement. European data protection authorities from the 28 EU member states met after the ECJ decision, and asked the Commission to come up with a new deal by the end of January 2016. The data protection authorities are tasked with investigating and deciding on privacy complaints in their own member states.
- 29 April 2016: member state representatives meet to negotiate on Privacy Shield
- 19 May 2016: member state representatives meet to negotiate on Privacy Shield
- May 2016: national representatives will vote on Privacy Shield
- June 2016: European Commission aims to have Privacy Shield in effect
- Article 29 Working Party on data protection: opinion on Privacy Shield (13 April 2016)