An influential European Union privacy group has rejected the recently agreed Privacy Shield data sharing agreement between the EU and the United States, claiming that several points need to be clarified to ensure the safety of citizens’ data.
Privacy Shield, announced a couple of months ago, is the successor to the Safe Harbor deal which was effectively invalidated by a European Court of Justice ruling. That decision upheld a complaint from a German law student who argued his Facebook data may not be safe in the US thanks to NSA snooping.
Now the Article 29 Working Party – a group comprised of representatives from member states’ data protection authorities – has voiced “strong concerns” over the new agreement and asked for a new review.
It argued in a statement yesterday that key EU data protection principles are not adequately reflected in it, and that the US has yet to provide “sufficient details in order to exclude massive and indiscriminate collection of personal data originating from the EU.”
It concluded:
“The Working Party notes the improvements the Privacy Shield offers compared to the invalidated Safe Harbor decision. But, given the concerns expressed and the clarifications asked, it urges the Commission to resolve these concerns and provide the requested clarifications in order to improve the draft adequacy decision and ensure the protection offered by the Privacy Shield is indeed essentially equivalent to that of the EU.”
The non-profit Information Technology and Innovation Foundation (ITIF) expressed disappointment at the decision.
“While members of the Article 29 Working Party should continue to offer suggestions on how to strengthen this agreement—and there are opportunities for improvement—the opportunity for improvement should not preclude official approval of the agreement,” it argued.
"A prolonged climate of regulatory uncertainty places unnecessary strain on the digital economy, hurting businesses, workers, and consumers. Moreover, there will be many opportunities to build on the initial Privacy Shield Framework, as all parties involved have already agreed to meet at least annually to discuss how to further improve the functioning, implementation, supervision, and enforcement of the framework.”
Deema Freij, global privacy officer at Intralinks, claimed that if the working party’s views aren’t taken seriously, it could mean trouble in the EU courts further down the line.
“For businesses, however, this news isn’t too catastrophic. After the demise of Safe Harbor, companies realized it’s good to have back-up plans should one legal route be shut off,” she added.
“EU Model Clauses and Binding Corporate Rules are still seen as legitimate alternatives to the Privacy Shield according to today’s announcement. At the moment, businesses have switched - or are switching - to EU Model Clauses so they are able to transfer personal data to the US - and they can continue to use these in spite of the decision today.”