Privacy Shield has a new detractor, and that spells bad news for businesses built on the transatlantic transfer of personal data.
The Privacy Shield agreement is intended to protect the privacy of European Union citizens when their personal information is processed in the U.S., but it has found few supporters since the European Commission unveiled an unfinished draft of the agreement in January.
Even after the Commission published further details, in April, the critics continued to pile on. Last month, national data protection authorities from across the EU said it still needed significant work, and last week the European Parliament said it too is unsatisfied.
Now it's the turn of the European data protection supervisor, appointed by the Commission to advise EU institutions on privacy and data protection matters.
EDPS Giovanni Buttarelli wants the Commission to negotiate improvements to Privacy Shield in three main areas: limiting exemptions to its provisions; improving its redress and oversight mechanisms, and integrating all the main EU data protection principles.
The Commission began negotiating Privacy Shield last October, when the Court of Justice of the EU struck down its predecessor, the Safe Harbor Agreement, saying it was inadequate.
Businesses that had previously relied on Safe Harbor were invited by the Commission to use other mechanisms provided for in the 1995 Data Protection Directive, such as standard contract clauses and binding corporate rules, to continue legally exporting data.
Many observers have said that those alternative mechanisms suffer from the same deficiencies as did Safe Harbor, particularly the protection of personal data from bulk surveillance by U.S. security services, but their adequacy has not yet been tested in court.
That may soon change, as the Irish data protection commissioner called last week for the CJEU to examine the legality of standard contract clauses. If the court decides they too are inadequate, then a swift conclusion to the Privacy Shield negotiations will be vital if the transatlantic flow of data is not to be interrupted.
The EDPS is concerned that Privacy Shield's provisions on surveillance are a step in the wrong direction.
"Whereas the 2000 Safe Harbour Decision formally treated access for national security as an exception, the attention devoted in the Privacy Shield draft decision to access, filtering and analysis by law enforcement and intelligence of personal data transferred for commercial purposes indicates that the exception may have become the rule," Buttarelli wrote in a report published late Monday.
"The purposes for which exceptions are allowed and the requirement of a legal basis should be more precise," he wrote.
Buttarelli's concerns echo those of the European Parliament, expressed in a resolution last Thursday.
They too warned of deficiencies in the arrangement, notably the possibility for U.S. authorities to collect bulk data in ways that do not meet the criteria of necessity and proportionality. They also criticized the complexity of the redress mechanism if data is mishandled, and the insufficient independence of the U.S. ombudsperson who will resolve data disputes.