European Data Watchdog's Criticism of Privacy Shield Another Blow to EU-US Pact
With the EU top data watchdog lining up against Privacy Shield, some observers said the proposed EU-U.S. trans-Atlantic data transfer agreement is on shakier ground -- and the opposition could delay its approval. European Data Protection Supervisor Giovanni Buttarelli's opinion issued Monday came days after the European Parliament issued a resolution saying that both sides need to continue negotiations to fix "deficiencies" on weak data protections and a complex redress system (see 1605260024).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Buttarelli wrote that Privacy Shield "may be a step in the right direction," but it doesn't include "all appropriate safeguards to protect" EU individuals' right to privacy, data protection and judicial redress. "Significant improvements are needed should the European Commission wish to adopt an adequacy decision," he wrote. "The EU should get additional reassurances in terms of necessity and proportionality, instead of legitimising routine access to transferred data by U.S. authorities on the basis of criteria having a legal basis in the recipient country, but not as such in the EU, as affirmed by the Treaties, EU rulings and constitutional traditions common to the Member States.”
Privacy Shield is "not robust enough to withstand future legal scrutiny," said Buttarelli in a statement. He said self-regulation and the commitments from public officials in the proposed agreement are good for the short term, but not sufficient to protect people's rights or meet the needs of a global digital world. "A longer term solution would be welcome in the transatlantic dialogue, to also enact in binding federal law at least the main principles of the rights to be clearly and concisely identified, as is the case with other non EU countries which have been ‘strictly assessed’ as ensuring an adequate level of protection," meaning it's essentially equivalent to EU law, he wrote in his opinion.
"It's a very meaningful statement from a very important man," said Nuala O'Connor, CEO of the Center for Democracy and Technology." While Buttarelli may not have legislative authority, his opinion matters and it "shows the situation is far more fraught and is kind of ... tense right now," she told us Tuesday. There's not only "discomfort" with the U.S. privacy regime but it's directed at the "blurring boundaries" between personal data and government use of data, she said.
That means Congress needs to work on changing Section 702 of the Foreign Intelligence Surveillance Act Amendments Act on surveillance of the electronic communications of foreigners outside the U.S. (see 1605100001), O'Connor said, and pass the House version of the Electronic Communications Privacy Act, which is being considered in the Senate (see 1605260016). O'Connor said Privacy Shield is "one skirmish" in a much longer conversation on data and there needs to be a permanent lasting global structure.
Jonathan Armstrong, an attorney with London-based Cordery, emailed that the opinion doesn't come as a surprise since he had asked Buttarelli a similar question about Privacy Shield last week at an event in Rome "so [I] thought something was in the works." Armstrong said the watchdog's opinion also matches the Article 29 Working Party's April position (see 1604130002) that raised several problems with the proposed framework. Buttarelli's opinion "will however make the [European] Commission take this seriously since this is another EU institution with reservations," Armstrong said. "That and the Article 31 news show that Privacy Shield is likely to be delayed and even less likely to stand up to any court challenge.”
In a recent meeting, the Article 31 Committee, which is a EU body comprised of member state representatives, said it needed more time to review the proposal and vote on it, which was reported by Ars Technica. But the committee, which meets again June 6 and 20, could wrap up discussions on Privacy Shield by the end of June or early July (see 1605250002). It signaled support for discussing changes in the framework with the U.S. following the Article 29 Working Party, which is comprised of member states' data protection authorities.