The EU's independent data protection supervisor has said that the proposed US-EU data sharing agreement, Privacy Shield, "is not robust enough to withstand future legal scrutiny" and has refused to endorse it.
"Significant improvements are needed should the European Commission wish to adopt an adequacy decision, to respect the essence of key data protection principles with particular regard to necessity, proportionality and redress mechanisms. Moreover, it’s time to develop a longer term solution in the transatlantic dialogue," said Giovanni Buttarelli, the European Data Protection Supervisor (EDPS), in his official opinion on Privacy Shield. (PDF)
The much worried-about Privacy Shield is a proposed legal measure which would ensure that EU citizens' data would remain protected by the EU's more stringent data laws when transported across the Atlantic by firms based in America.
To be effective it would be required to provide "adequate protection against indiscriminate surveillance as well as obligations on oversight, transparency, redress and data protection rights." Neither the EDPR nor the German state's privacy body believe it fulfils these needs.
The old agreement governing this matter, Safe Harbor, was struck down in the EU following the Snowden revelations which revealed that the NSA was accessing EU citizens' data when it entered the US, and doing so outside of the legal requirements that EU intelligence agencies are required to follow. Safe Harbor was thus found to be unlawful.
Despite this, transatlantic data transfers currently continue in an atmosphere of legal uncertainty. Writing in Foreign Affairs, Henry Farrell and Abraham Newman said:
The Safe Harbor dispute stems from the fact that the EU and the United States have fundamentally different understandings of how privacy should work in the digital age. Beginning in the 1990s, European countries developed comprehensive rules governing the collection and processing of personal information, overseen by independent regulatory agencies called “data protection authorities.”
This approach to privacy was elevated to a fundamental constitutional right when the EU adopted its Charter of Fundamental Rights in 2009. The United States, in contrast, lacks a comprehensive approach to privacy, relying instead on an idiosyncratic patchwork of specific—and, in some cases, dated—rules governing sectors as diverse as health care and video rentals.
The problem for the United States is that European regulations have long prohibited the transfer of data to countries that the EU considers to have weak privacy protections, among them the United States.
The EDPS said that "international companies supplying goods and services in the EU should be absolutely clear about all the rules they must comply with"
"Key data protection principles must be covered in the Privacy Shield for it to offer essential equivalence between EU-US law" he added, noting that these principles are currently absent from the Privacy Shield proposals. ®