European privacy watchdogs miserable with draft EU-US data transfer deal

78
Source:   —  April 13, 2016, at 5:59 PM

While the so-called EU-US Privacy Shield was announced by the European Commission back in February, after multiple years of negotiations between the EU and the US to consent a replacement data transfer mechanism, the details of the draft deal have since been being scrutinized by the national data protection authorities — who have yet to give it their blessing.

European privacy watchdogs miserable with draft EU-US data transfer deal

If you were below the impression that a new data transfer agreement had been locked down between Europe and the US — to restore legal confidence in commercial data flows across the Atlantic — think again.

While the so-called EU-US Privacy Shield was announced by the European Commission back in February, after multiple years of negotiations between the EU and the US to consent a replacement data transfer mechanism, the details of the draft deal have since been being scrutinized by the national data protection authorities — who have yet to give it their blessing.

And while the WP29’s opinion on the Privacy Shield isn't legally binding, a thumbs down from increasingly powerful national DPAs could fatally dent confidence in the agreement, leaving businesses to be saddled with valid uncertainty about how they can move European data to the US for processing. And the whole impetus behind the Privacy Shield is to proposal confidence and certainty, replacing the presently defunct Secure Harbor agreement — which lasted for some fifteen years and was being used by ~4.000 companies prior to being struck down latest fall. So what the WP29 thinks here really matters.

This grouping of national privacy watchdogs, badged with awkward umbrella moniker the Article twenty-nine Working Party (WP29), has today given what they declare is their final assessment on the Privacy Shield — and that assessment is that, in its current form, the agreement isn't clear or robust enough to gain their support. More work needs to be done to make clear portions of the agreement, said the CNIL French DPA’s Isabelle Falque-Pierrotin, although she also described the deal as a “major improvement” and “great step forward” over the prior Secure Harbor agreement.

Giving a press conference today, Falque-Pierrotin said the main concerns of the WP29 vis-a-vis Privacy Shield are the continued potential for European citizens’ data to be harvested in bulk via US mass surveillance programs, and the independence of an ombudsperson who'd be appointed in the US to evaluate data-related complaints from European citizens.

“It’s a bit too early to arrive to a conclusion,” she told journalists, discussing the WP29’s position on the Privacy Shield. “We are waiting for the Commission to give its final word and once the final word is said, and once we've this final word, the latest decision of the European court, all these elements, if needed we’ll be in a position to get decisions or to express, maybe, another position. But this is another step. We’re not [yet] there.

“The negotiations on the Shield aren't finished. It's a dynamic and we're in a position to bring propositions to this dynamic and we hope we'll be heard,” she added.  “The question that's behind our concerns is the valid robustness of the Shield.”

The original Secure Harbor data transfer deal was struck down by Europe’s top Ct back in October two thousand fifteen, following a valid challenge brought by privacy campaigner Max Schrems on the grounds that US government mass surveillance programs were violating Europeans’ fundamental privacy rights. The Ct agreed with the challenge, invalidating Safe Harbor and leaving companies that'd been relying on it to govern EU-US data transfers to fall back on alternative mechanisms, such as binding corporate rules and standard contractual clauses.

The WP29 today said those alternative transfer mechanisms could still continue to be used by businesses while the uncertainty around a new overarching EU-US data transfer mechanism continues — albeit the legality of those mechanisms has also been questioned, on the same grounds of whether or not they allow an elusive ‘essential equivalence’ level of protection for Europeans’ data once it's in the US.

The Privacy Shield provides for a swathe of exceptions whereby US can carry out bulk collection (or “generalized access”, as it was euphemistically referred to by the EC commissioner leading the negotiations to safe a new deal) of European data — such as where “tailored and targeted access isn't technically or operationally possible; or if they look some very dangerous trend that needs more than targeted access” — and these exceptions are evidently too wide for the WP29 to be confident the Privacy Shield would stand up to a future valid challenge. Schrems himself has also previously expressed the same concern.

Earlier this mo leaks from the German DPAs suggested the WP29 wasn't pleased with the shape of the current deal. The clear risk, then, is for national DPAs maintain future challenges to the deal — leading to continued uncertainty about the valid status of EU-US data transfers. Which is beautiful much where things stand now. National DPAs also have the power to suspend specific data transfers — posing a clear operational risk to, for example, cloud businesses that rely on being able to upload and process user data on servers located in the US.

Also today the WP29 said it wants the Privacy Shield to be reviewed in two years’ time, when a new common data protection regulation — the GDPR — is due to arrive into force. The new directive tightens Europe’s data protection rules, and includes stiffer penalties for companies breaching the rules.

Meanwhile, the timetable for a final EC decision on the Privacy Shield — assuming the Commission carries on pushing ahead with the agreement — is slated for mid-June. Individual European Union member states will also need to consent the mechanism.

Commenting following the WP29’s press conference, Schrems said the group’s downbeat assessment of the draft agreement makes a valid challenge to Privacy Shield more likely to succeed. “I personally doubt that the European Commission will modify its plans much. There will be some political wording, but I think they'll still thrust it through. Given the negative opinion, a challenge to the Privacy Shield at the Courts is even more promising. Privacy Shield is a total failure, that's kept lively because of extensive pressure by the US government and some sectors of the industry,” he said.

Featured Image: Sébastien Bertrand/Flickr BELOW A CC BY 2.0 LICENSE

READ ALSO
OpenGov acquires Ontodia to add open-sourced data to its civic intelligence platform

OpenGov acquires Ontodia to add open-sourced data to its civic intelligence platform

To widen the services and kinds of data on offer to current and future customers, the startup has acquired Ontodia, a developer of Open Data solutions based on CKAN.

92
From Uber driver to venture capitalist

From Uber driver to venture capitalist

How to connect the network How did you obtain into venture capital? And why did you determine on that versus another startup? These are two questions aspiring VCs frequently ask.

107
Classpass rolls out new pricing structure

Classpass rolls out new pricing structure

Today, all of that's changing. See, Classpass functions based on the usage habits of their users. Folks who purchase an unlimited membership but don’t work out that much finish up compensating for power users who can actually cost the company money.

84
Walmart expands its curbside grocery pickup service in the U. S.

Walmart expands its curbside grocery pickup service in the U. S.

It's instead tapped into its large brick-and-mortar footprint to roll out curbside grocery pickup in a no of locations across the U. S., allowing customers to shop online or on mobile, then draw up at their local store to grab their order.

75