deepagopi2011 - Fotolia

UK information commissioner weighs in on Privacy Shield

It would be “very sensible” if both the EU and the US answered the questions European data protection authorities are asking about the Privacy Shield pact, according to the UK information commissioner

UK information commissioner Christopher Graham has criticised the reluctance of the US to make changes to the Privacy Shield data transfer pact agreed in February 2016 with the European Commission.

The Article 29 Working Party (A29WP) of European data protection authorities, including Graham, recently called for more work on Privacy Shield.

Instead of approving the proposed pact to replace the now-defunct Safe Harbour agreement to ensure privacy protections for trans-Atlantic data transfers, the group called on the US and European Commission (EC) to revise and clarify several points.

But Stefan Selig, US undersecretary of commerce for international trade, said although the US would evaluate the EU regulators’ opinion very carefully, it would be wary of re-opening the agreement, according to Reuters.

The US is “very cautious about not upsetting what was a delicate balance that was achieved when we negotiated the original text, so would be chary about doing anything that would do just that”, said Selig.

Graham said the A29WP asked some very basic and simple questions about the lack of clarity in the documentation and around the justification for bulk data collection, the independence of the ombudsman, and concerns about the processing of information transferred to the US that was then moved on to third countries.

“If the data protection authorities, which are fairly expert in this area, are asking questions, then you can be pretty sure the European Court of Justice will also be asking questions. So it would be very sensible if both the EU and the US actually answered the questions,” he told the IAPP Europe Data Protection Intensive 2016 conference in London.

“These are perfectly reasonable questions, and if there aren’t answers there is only going to be trouble down the road. I would urge US corporates, which have a great interest in getting this sorted out, to encourage the US authorities to get answers to those questions so we can all move on safely,” he said.

Graham is keen to see Privacy Shield properly put to bed so that the Information Commissioner’s Office (ICO) can focus on the new General Data Protection Regulation (GDPR).

“That is what the ICO is focusing on now, not the change of guard,” he said, referring to the fact that he has just 10 weeks to go in the role of UK information commissioner.

Read more about the GDPR

Graham was appointed in 2009 on a five-year term that was extended for two years, but rules under the Protection of Freedoms Act 2012 mean he cannot be reappointed.

“The change of guard is almost peripheral because you’ve got 400 people working away on information rights and the GDPR is the focus of our activities, that is what we are gearing up for. There is a whole change programme underway designed to ensure the ICO can meet its obligations under the regulation to help UK organisations to meet theirs,” he said.

Graham said the ICO also has to work out how it fits in with the European Data Protection Board under the GDPR, which is expected to come into force in early 2018.

Commenting on his likely successor, he said he was “delighted” that British Columbia’s privacy commissioner, Elizabeth Denham, has been identified as the government’s preferred candidate.

“It’s great to see an experienced privacy commissioner like Elizabeth Denham being nominated,” said Graham, adding that confirmation of her appointment is expected shortly.

“I know that she will be a great leader of the ICO, and will continue with the approach that was developed by Richard Thomas and carried on by me to make sure the ICO is an effective partner in delivering information rights in the UK, and an influential voice within Europe, to achieve the benefits of the digital era while retaining citizens’ rights, privacy and respect,” he said.

Respecting information rights, said Graham, is essential for opening up all that the digital world offers. “If senior people in organisations are not prepared to give their time and attention to the rights of consumers and citizens, then they are not going to enjoy the benefits, opportunities and profits of the digital world,” he said. 

Read more on Privacy and data protection