Why regulators fear EU-US Privacy Shield won't protect us

An improvement on Safe Harbour, but our digital data could still be exploited...

Microsoft might have become the first major US tech firm to get behind the EU-US Privacy Shield this week, but comments from EU data regulators today suggest it may never get off the ground.

The draft pact had been agreed by Brussels and Washington in February, as the trading partners attempted to clarify their approach to online data protection in the wake of Safe Harbour's dismissal.

The previous agreement allowing EU citizens' data to be transferred through Ireland to America was thrown out when the European Court of Justice ruled that it impinged on people's privacy rights in September 2015.

The EU-US Privacy Shield made big promises to fix the glaring holes that had been exposed in Safe Harbour.

As per a European Commission fact sheet, it would usher in greater transparency, oversight mechanisms to ensure companies abide by the rules, sanctions or exclusions if they did not and tightened conditions for onward transfers.

The Commission claimed that the Shield would impose stronger obligations on US companies to protect the personal data of European citizens, and fulfill the requirements that Safe Harbour had not.

For the first time, the US was giving written assurances that any access of public authorities to personal data would be subject to limitations, safeguards and oversights. A new redress possibility through an independent EU-US Privacy Shield ombudsperson was also announced, as well as an annual joint review conducted by the European Commission and the US Department of Commerce.

What this would mean in practice, according to the Commission, would be:

For American companies

  • Self-certify annually that they meet the requirements.
  • Display privacy policy on their website.
  • Reply promptly to any complaints.
  • (If handling human resources data) Cooperate and comply with European Data Protection Authorities.

For European individuals

  • More transparency about transfers of personal data to the U.S. and stronger protection of personal data.
  • Easier and cheaper redress possibilities in case of complaints —directly or with the help of their local Data Protection Authority.

While all this sounds good, flaws have been found.

Max Schrems, the Austrian law student who won his case against Safe Harbour, had already written that the Privacy Shield would not stand up in court.

Now the EU's Article 29 Working Party, established under a 1995 Directive on personal data protection, has taken issue primarily with six exceptions US intelligence agencies have demanded so that they can continue to gather data en masse.

The Working Party has said that the role of the US-appointed ombudsman is too vague and questioned the overall complexity of the pact, which brings together legal instruments, letters, annexes and more.

Isabelle Falque-Pierrotin, chair of the Article 29 Working Party, said:
"We believe that we don’t have enough security guarantees in the status of the ombudsperson... in order to be sure that this is really an independent authority".

Falque-Pierrotin also noted that the Privacy Shield does not have a revision mechanism to handle the vast European privacy law changes that will arrive along with the new General Data Protection Regulation in 2018.

She summarised that it does not adequately reflect key data protection principles.

The Working Party will refrain from supporting the EU-US Privacy Shield until their concerns are addressed. While it is a purely advisory body, it could potentially ask the European Court of Justice to test the Shield's legality if its advice is ignored.

Meanwhile, an Article 31 Committee composed of representatives from each member state's data protection authority will issue its own opinion after meetings this month and in mid-May.