The likelihood of the new Privacy Shield data sharing deal between the EU and US being ratified this month diminished further after the European Data Protection Supervisor (EDPS) claimed it was “not robust enough.”
Giovanni Buttarelli, who acts as independent adviser to the EU institutions on data protection issues, issued his opinion on the deal on Monday.
"I appreciate the efforts made to develop a solution to replace Safe Harbor but the Privacy Shield as it stands is not robust enough to withstand future legal scrutiny before the Court [European Court of Justice],” he said in a statement.
“Significant improvements are needed should the European Commission wish to adopt an adequacy decision, to respect the essence of key data protection principles with particular regard to necessity, proportionality and redress mechanisms. Moreover, it’s time to develop a longer term solution in the transatlantic dialogue."
Buttarelli’s words echo those of influential EU privacy group the Article 29 Working Party, which issued its own opinion on Privacy Shield, to which the EDPS contributed, back in April – effectively rejecting the deal as it stands.
Major concerns still exist around the US authorities' ability to carry out “indiscriminate surveillance” which might include sweeping up data on EU citizens.
Europe’s data protection czar also pointed out that from May 2018 the General Data Protection Regulation (GDPR) would apply to all international data transfers, adding another layer of regulation and severe penalties for non-compliance.
He urged EU legislators to “take their time” to find a suitable long-term solution.
However, many US technology providers will be frustrated that a deal still hasn’t been reached enabling a “streamlined and cost effective” way to exchange data between the two jurisdictions – particularly storing EU data in US cloud datacenters.
One option is the Binding Corporate Rules (BCRs) accreditation, according to BMC EMEA general counsel, Elodie Dowling.
The US giant claimed it achieved certification with this standard as a data controller and processer in anticipation of the end of Safe Harbor, and believes this will give it a competitive advantage over rivals.
“The BCRs represent the most comprehensive global data protection and privacy framework in the world, whilst also being in compliance with the most rigorous EU laws,” argued Downing. “With this recognition, companies who obtain BCR accreditation are permitted to transfer personal data outside of the EU in a secure manner and in accordance with local laws and regulations.”