Europe's data protection authorities have graded the new Privacy Shield agreement that covers data sharing between the US and Europe a fail.
In a formal response [PDF] published Wednesday by the Article 29 Data Protection Working Party, the influential group outlined a number of serious concerns about the agreement, including:
- Whether national security exemptions were legal.
- How the review mechanism will work.
- The independence of the US Ombudsman that would review accusations of data abuse.
The working party welcomed the fact that access to data for national security reasons was now addressed in the new agreement, but noted that its provisions did not explicitly exclude "massive and indiscriminate collection of personal data" and so did not sufficiently protect EU citizens' rights.
It does not like the current appeal/redress mechanism, calling it "too complex ... and therefore ineffective." And it raised doubts over the US Ombuds role, arguing that it is "not sufficiently independent and is not vested with adequate powers to effectively exercise its duty."
The annual joint review of Privacy Shield lent it credibility, the working party said, but noted that there was precious little information over how that would actually work, and that its "exact arrangements" needed to be agreed upon "well in advance of the first review."
Overall, the report said that key data protection principles under EU law "are not reflected in the draft adequacy decision." As such the agreement is "not acceptable."
At a press conference, a working party representative strongly suggested that unless changes were made to deal with its concerns, it may take it to the European Court of Justice (ECJ), which was responsible for striking down the previous Safe Harbor agreement.
The Article 29 Working Party's opinion is not binding on the European Commission, but it is highly influential. An explicit rejection of the Privacy Shield would almost certainly lead to a legal challenge, putting the process back to square one.
The group was careful to keep the doors open, however, noting that it will wait to see the result of two related reviews: one by the Article 31 Committee – whose recommendations are binding – and another by the ECJ over the legality of the UK's surveillance efforts by listening post GCHQ.
In addition, revised EU data protection rules are expected soon and they may also impact the legality of Privacy Shield. The working party nevertheless noted the "major improvements" in the agreement when compared to its predecessor, but not before damning it by saying that it was "complex and not consistent."
Despite its pointed criticism, the working party said it still hoped to support the agreement in time for its expected approval in June. ®