deepagopi2011 - Fotolia

Mixed response to call for more work on Privacy Shield

The Article 29 Working Group’s call for revisions of the Privacy Shield for trans-Atlantic data transfers is welcomed by those keen for a stronger framework and criticised by those keen to avoid delay

The call by the Article 29 Working Party of European privacy regulators for more work on the EU-US Privacy Shield pact has been met with mixed response.

Instead of approving the proposed pact to replace the now-defunct Safe Harbour agreement to ensure privacy protections for trans-Atlantic data transfers, the group called on the US and European Commission (EC) to revise and clarify several points.

The A29WP said it was still concerned about the possible “massive and indiscriminate” bulk collection of EU citizens’ data by US authorities, and called for further guarantees about the powers US officials would have to handle complaints from EU citizens.

“We don’t have enough security or guarantees in the status of the ombudsperson and in their effective powers to be sure this is really an independent authority,” said Isabelle Falque-Pierrotin, chair of the A29WG.

Although the group’s recommendations are not binding, they are expected to have a strong influence on how the EC will proceed on the matter.

Uncertainty for businesses

The Safe Harbour Agreement was scrapped in October 2015 after the European Court of Justice backed an assertion by Austrian Max Schrems that the regime was no guarantee that the data of European citizens would be protected from the surveillance activities of the US government.

The ruling sent European and US lawmakers scrambling for an alternative arrangement for transferring data from Europe across the Atlantic by allowing US firms to self-certify that they were meeting the EU’s data privacy requirements.

The A29WP is concerned that the current version of the Privacy Shield framework could be challenged in the same way that Schrems challenged Safe Harbour if there are not stronger guarantees, but this means an extended period of uncertainty for businesses.

Calls for approval

The Information Technology and Innovation Foundation (Itif), a Washington-based technology policy think tank, said it was disappointed that the A29WP had not affirmed the adequacy of the current version of Privacy Shield that was negotiated between the EC and the US Department of Commerce. 

“The new agreement offers a host of new protections, obligations and opportunities for redress that affirm the commitment of the US government to safeguard European data and respect the rights of European citizens,” said Itif vice-president Daniel Castro.

“Moreover, the agreement has achieved widespread support on both sides of the Atlantic from many policymakers, businesses and advocacy groups for offering an opportunity to move forward after the European Court of Justice invalidated the Safe Harbour agreement,” he said.

Itif said that while the A29WG should continue to offer suggestions on how to strengthen Privacy Shield, the opportunity for improvement should not preclude official approval of the agreement.

“A prolonged climate of regulatory uncertainty places unnecessary strain on the digital economy, hurting businesses, workers and consumers. Moreover, there will be many opportunities to build on the initial Privacy Shield Framework, as all parties involved have agreed to meet at least annually to further improve the functioning, implementation, supervision and enforcement of the framework,” said Castro.

“But given the crucial importance of transatlantic data flows to the global digital economy, the national data protection authorities should not try to hold the digital economy hostage to extract further tweaks to the agreement. We urge the European Commission to affirm the adequacy of the Privacy Shield Framework,” he said.

BSA The Software Alliance said it does not fully share the views expressed by the A29WP. “In particular, we believe the privacy safeguards that were recently introduced into US law, as well as in the Privacy Shield itself, allow for a finding of essential equivalence between the European Union (EU) and US regimes.

“BSA calls on the EU member state governments, meeting as the Article 31 Committee, to make their own independent determination in this matter and to approve the Privacy Shield.

“We stand ready to work alongside all interested parties to rebuild trust and confidence in EU-US data flows for the benefit of millions of people and the many companies which rely on transatlantic data services every day,” the group said in a statement.

Benefit of the doubt

Eduardo Ustaran, a London-based partner at legal firm Hogan Lovells, said the A29WP’s recommendations are unsurprising given the sensitivity of the data privacy issue in Europe.

“The Privacy Shield is crucial in bridging the gap between European and American approaches to privacy. It is therefore essential that it can be relied on with complete certainty.

“This prolongs the current uncertainty regarding the legality of transatlantic dataflows. However, it would be inconceivable for such flows to stop and I believe the efforts of both the European Commission and the US government should be given the benefit of the doubt,” he said.

However, Ustaran believes the EC is likely to proceed with its support for Privacy Shield despite the A29WP’s position.‎ “Companies should bear that in mind when deciding which mechanism to deploy to ensure their data is protected no matter where it is in the world,” he said.

Uncertainty for companies affected by Privacy Shield

Julie Brill, former commissioner for the US Federal Trade Commission who was instrumental in the privacy shield negotiations, and current partner and co-leader of the global privacy and cyber security practice at Hogan Lovells, believes the agreement is good enough.

“I appreciate the hard work of the A29WP on its in-depth examination of the issues surrounding Privacy Shield. We should all carefully examine the WP29 opinion and determine whether there are points that can be clarified quickly. 

“However, I encourage all stakeholders to not let the perfect stand in the way of something very, very good”, she said. “I believe Privacy Shield should be approved quickly and we should all move forward to implementation, to ensure consumers are well protected and to provide certainty for businesses.”

Most commentators agree that companies affected by the Privacy Shield agreement should prepare to face more uncertainty, because the deal is likely to undergo further amendments before it is finalised.

This uncertainty has led many companies to get approval for binding corporate rules (BCRs), but some lawyers believe BCRs could potentially be overturned for the same reasons as Safe Harbour.

Read more about EU-US Privacy Shield

Read more on Privacy and data protection