European privacy watchdogs say they have a number of significant “concerns” with new international data transfer scheme Privacy Shield, promising further legal uncertainty for the thousands of companies reliant on transatlantic data flows.
The Article 29 Working Party praised improvements of Privacy Shield compared to its predecessor on Wednesday, but still raised concerns, including on bulk surveillance and the lack of powers of the proposed ombudsman.
The Working Party’s decisions are not legally binding, but carry significant weight — particularly ahead of likely legal challenges to the agreement.
Privacy Shield is designed as a replacement to Safe Harbour — a transatlantic legal mechanism that legitimised the transfer of personal data from Europe to the US, despite America’s lesser privacy protections.
It was abruptly struck down by the European Court of Justice (ECJ) in Autumn 2015 due to concerns over US government surveillance.
US spying — first revealed by exiled NSA whistleblower Edward Snowden — meant US companies could not provide adequate protections to Europeans’ data.
Safe Harbour wasn’t the only way to legitimise transatlantic data flows, but it was the most-straightforward, with more than 4,000 US companies relying on it to allow the transfer of everything from user data to payroll information.
Negotiators were already working to replace the 2000 agreement, but the ECJ’s decision created a new urgency. At the eleventh hour, a replacement was agreed upon — Privacy Shield.
It aims to solve the issues raised by the ECJ, but concerns have remained, particularly from rights groups. It’s likely that it will be challenged in the courts, and may well end up back at the European Court of Justice.
Article 29, a Working Party of European privacy watchdogs, announced their verdict on Wednesday. It highlighted multiple “concerns” with Safe Harbour as it currently exists. One is the risk of mass surveillance of Europeans by US agencies: “The possibility is left in the Shield and its annexes for bulk collection.”
Another is the status of the ombudsperson, a proposed independent mechanism within the US Department of State. The worry is that there still are not guarantees as to the powers, independence, and effectiveness of the ombudsman.”
There were previously reports that the regulators were not going to rubber stamp Privacy Shield because of their concerns.
There had also been speculation that Article 29 would make a decision on the validity of alternative legal mechanisms for data transfer like binding model clauses on Wednesday, but it declined to do so — meaning they remain valid for the “immediate time.”
Article 29’s decision will be published online on Wednesday afternoon.
More to follow…