EU privacy advocates complain data-sharing pact not good enough

The US and European Union data-sharing plan known as Privacy Shield does not adequately protect Europeans' personal information, privacy watchdogs said Wednesday.

While the plan is a "major improvement" over the previous data transfer pact known as Safe Harbor, "we still have concerns and an urgent need for clarification," said Isabelle Falque-Pierrotin, chairwoman of the Article 29 Working Group, which is comprised of European data commissioners. The group had been examining the proposal since it was first announced in February.

Under the current proposal, "massive and indiscriminate" collection of Europeans' data could still be allowed under certain exceptions, said Ms. Falque-Pierrotin. Furthermore, the proposed US State Department ombudsperson designed to oversee data transfers and handle complaints does not have enough independence, she added.

While the working group's opinion is nonbinding, it's still a major blow for the many industry groups hoping for the quick adoption of a new transatlantic data agreement and an end to legal uncertainty about moving Europeans' personal information overseas. 

Last October, the European Court of Justice invalidated Safe Harbor, the 15-year old mechanism that allowed companies to move data abroad as long as organizations adhered to EU data protection laws. The court ruled that, due to recent revelations on US government surveillance, data transfers could not longer be considered safe.

That decision left companies in regulatory limbo when it came to data transfers. While alternative agreements for data transfers exist, Safe Harbor represented the most cost effective tool, particularly for small and medium companies less likely to have offshore data centers.

The opinion from the data protection agencies in Europe isn't unexpected, said Jens-Henrik Jeppesen, head of the Brussels office of Center for Democracy and Technology. After all, said Mr. Jeppesen said, Europeans' concerns about American government surveillance measures were never fully addressed in the Privacy Shield deal.

"It was never possible for the Privacy Shield negotiators to amend [the US] legislation" that granted government access to EU data, he said. "It has been negotiated by the Department of Commerce, and obviously, [Commerce] does not have the power to legislate."

Jeppesen's organization has argued from the beginning that to deal with the surveillance concerns requires amending the law, he said.

It is possible that the European Commission and the Commerce Department can work some changes into Privacy Shield before it is adopted, but those changes will probably not be fundamental, Jeppesen said. "For companies, there is likely to be continued uncertainty about how solid the Privacy Shield will be and whether it would withstand the European Court’s scrutiny."

Under the current proposal, the deal would bring US companies under the tougher scrutiny when it comes to upholding EU privacy standards. EU citizens, for example, would have new ways of making a complaint against EU and US companies, including the right to bring a US company into binding arbitration. Companies would be required to reply to individuals within 45 days.

That also means that individual data protection agencies, or DPAs, in Europe and an ombudsperson independent from intelligence services in the US would directly work with individuals to redress their complaints.

The ombudsperson would serve as contact point for data subjects and European data protection authorities when the processing of personal data by US intelligence agencies is at stake, according to Berlin-based lawyer Carlo Piltz, who specializes in privacy and data law.

"But it’s not absolutely clear if the competence of this role fulfills the requirements established by the European Court of Justice," he said.

Organizations such as the Electronic Privacy Information Center (EPIC) have warned that without significant changes to domestic law and international commitments, a Safe Harbor 2.0 will almost certainly fail.

"The ombudsperson in its current form does not meet the criteria for independence," said Fanny Hidvegi, an international privacy fellow at EPIC. "The Privacy Shield proposal will most certainly fail under future legal scrutiny."

Jaikumar Vijayan contributed reporting from Chicago. 

This story was updated after publication to clarify comments from Fanny Hidvegi of EPIC.