Regulator criticises 'Privacy Shield' for EU data in US

The European Commission plans to move forward on a new data sharing pact with the US despite criticism by Europe's top data protection regulators on Wednesday (13 April).

EU justice commissioner Vera Jourva i said the so-called EU-US Privacy Shield, which was agreed in February, will be adopted in June.

"I am grateful to the experts [data regulators] for their thorough analysis," she said in statement.

The move to push ahead with Privacy Shield is motivated, in part, to reestablish a sense of lost trust among businesses that rely on a transatlantic data exchange market worth $260 billion annually.

Privacy Shield lays out rules on the transfer and use of data of EU nationals by firms in the United States and replaces a 15-year old Safe Harbour decision that was declared illegal by the European Court of Justice (ECJ).

The latest deal, largely based on signed letters from US authorities, is supposed to protect EU nationals from mass surveillance and other possible violations.

But details in the annex of the agreement still give US authorities wide discretion on bulk collection.

US-led mass surveillance, as revealed by whistleblower Edward Snowden, was among the main reasons why Safe Harbour ended up in the ECJ in the first place.

Concern is mounting that Privacy Shield could share a similar fate, unravelling two years of talks between the EU commission and the US.

The EU's main regulatory body on privacy, the “article 29 working party”, on Wednesday added to those fears after its assessment flagged gaps.

The article 29 group is composed of representatives of national data protection authorities and EU experts.

It cited improvements to Safe Harbour, but its chair, Isabelle Falque-Pierrotin, said “the possibility that is left in the Shield and its annexes for bulk collection … is not acceptable.”

In a separate case at the EU court in Luxembourg, judges are to rule by 2017 on whether UK proposals on bulk data retention and bulk access to retained data are lawful.

Falque-Pierrotin said the verdict is likely to weigh in on Privacy Shield.

The US has promised to set up a special ombudsperson, embedded in the state department, to help deal with complaints from EU nationals.

But Falque-Pierrotin said there are outstanding issues on the ombudsperson's independence.

"We don't have enough security guarantees in the status of the ombudsperson," she said.

Article 29's criticism was not limited to US national security issues.

In terms of commercial use of data, it said questions remain on use of EU nationals’ data in the US and on the transfer of their data to other countries.

The Brussels-based European Consumer Organisation (BEUC) aired similar views.

“EU consumers’ rights to privacy should not expire once their personal data travels outside the EU but this agreement does nothing to really prevent that from happening," said BEUC director Monique Goyens.

In a further complication, the legal analysis of Shield is based, in part, on a 20-year old data protection directive that is set to be replaced this week by a much stronger regulation.

The reformed data protection regulation will be voted into law by the European Parliament in Strasbourg on Thursday and transposed into national laws within two years.

It is unclear how well Privacy Shield will respond to the new data protection regulation.

The regulation will be voted in alongside a new EU passenger name record (PNR) bill that has itself attracted widespread criticism from civil liberty defenders.