A group of European data protection officials have voiced concerns over a proposed new agreement for the transfer of customer and employee data from Europe to the U.S. — known as Privacy Shield — highlighting issues with the “massive and indiscriminate” collection of data by the U.S. government as well as the level of independence a U.S. government-appointed ombudsman would have.
The nonbinding opinion of the Article 29 Working Party, which is made up of data protection commissioners from each of Europe’s 28 member states, was published Wednesday. The chairwoman of the group, Isabelle Falque-Pterrotin, said that while there were significant improvements in Privacy Shield over the Safe Harbor agreement it proposes to replace, “we have concerns and urgent need for clarification.”
The details of Privacy Shield were published in February after two years of negotiations between the European Commission and the U.S. Department of Commerce. “Our first reaction was very positive toward Privacy Shield because it answered to the demand we had formed in October,” Falque-Pterrotin said at a press conference in Brussels.
The Safe Harbor agreement had been in place for over 15 years when it was ruled invalid by the European Court of Justice in October last year. The judge ruled that as a result of revelations about the U.S. government’s surveillance apparatus, it could no longer be claimed that data — everything from your Facebook posts to employee payroll information — transferred to the U.S. was safe.
Over 4,000 U.S. companies — companies like Google, Microsoft, Facebook and others — relied on Safe Harbor to transfer data across national borders without having to comply with multiple sets of privacy rules. Without an agreement, tech multinationals would have to build hosting facilities in each country they operate in and would not be able to move private data as easily. Since the mechanism was ruled invalid, these companies have been left in limbo.
While the opinion of the Working Party is nonbinding and Privacy Shield can be adopted without the group's approval, the report will be seen as a blow to the hopes of getting Privacy Shield in place quickly. While there remain other avenues for companies to legally transfer data across the Atlantic, Privacy Shield would represent the easiest and most cost-effective route. The commission has yet to issue its final decision on Privacy Shield — expected in mid-June — and negotiations between the U.S. and Europe continue.
While Privacy Shield offers a relatively easy mechanism for these companies, it would still require additional work. “The Privacy Shield introduces a lot of additional obligations and liability for U.S. organizations, including an annual registration and self-certification process, agreeing to certain EU data-protection principles, and subjecting their organizations to oversight by the U.S. Department of Commerce and the FTC,” Aaron Tantleff, a lawyer specializing in privacy and security at Foley & Lardner, told International Business Times.
Responding to the Working Party's opinion, the Computer and Communication Industry Association welcomed the report, saying, “It is essential to our trans-Atlantic economy as thousands of small and medium-sized businesses depend on it for data flows.”
The Working Party has two main concerns with the proposed new deal. The first is that “massive and indiscriminate” bulk data collection has not been addressed. “The possibility that is left in [Privacy Shield] for bulk collection which is massive and indiscriminate is not acceptable,” Falque-Pterrotin said.
The second major issue the group has with the new agreement is in relation to an entirely new role of an ombudsperson to oversee how European citizen’s data is handled. The group says the creation of the role is a major step forward, it has concerns about the independence and effectiveness of the powers of the ombudsperson. “We don’t believe we have enough securities and guarantees in the status of the ombudsperson in order to be sure this is really an independent authority,” Falque-Pterrotin said.
These concerns echo those voiced by Privacy International, which stated in a report last week that Privacy Shield “does not significantly limit the ability of U.S. intelligence agencies to collect and use personal communications on a mass scale.” Privacy International additionally warned that the proposed ombudsperson “lacks independence from the executive, as he/she is appointed by and reports to the secretary of state.”
For the thousands of companies who have been left in legal limbo as a result of the striking down of Safe Harbor, the uncertainty continues. Falque-Pterrotin reiterated that any company using Safe Harbor as a mechanism to transfer data from Europe to the U.S. was in an “illegal situation” though individual data protection authorities have indicated they would not seek prosecutions until a new deal is in place.
There remain a number of alternative methods for companies to transfer data across the Atlantic, including binding corporate rules (BCRs) or standard contract clauses (SCCs) but both of these are complex legal constructs and require significant time and resources to put in place. The Working Party is also expected to investigate the legality of these mechanisms in the near future.