European data protection agencies have told authorities to address their “significant concerns” about Privacy Shield, or risk having the deal tested in court.
The Privacy Shield agreement governs transatlantic data flows and is the product of a lengthy wrangle after the Safe Harbor agreement was ruled invalid back in 2014.
Like its predecessor, Privacy Shield has come under fire from privacy campaigners and the Article 29 Working Party (WP29) - the name the merry band of European Union data protection agencies take when working together.
In a bid to garner trust and demonstrate there is more oversight this time around, the European Commission and the US government pledged to review the new deal on an annual basis.
The first such investigation reported in October, concluding that the deal provided an “adequate” level of protection for personal data. It saw the Commission praise even small achievements, while giving a much longer list of areas that needed improvement.
The WP29 has now released its own review of Privacy Shield, which isn't quite so diplomatic, saying that - although it’s better than Safe Harbor, there are still “significant concerns” to be addressed.
The group called on authorities to “restart discussions” and “immediately” develop an action plan to address the concerns - or it would be happy to ask national courts to refer it the Court of Justice of the European Union, which struck Safe Harbor down.
Two of its top priorities are similar to those raised in the official review: filling the vacant posts on the Privacy and Civil Liberties Oversight Board and appointing a permanent ombudsman.
The EU data protection agencies also called for further explanation of the rules of procedure that support the operation of Privacy Shield, including by declassifying information.
This includes details of the exact powers of the ombudsperson mechanism, onward transfers of data and evidence that collection of data for national security purposes isn’t indiscriminate.
While the justice commissioner Věra Jourová has declined to set any deadlines, the WP29 says these concerns need to be resolved by May 25 2018 (for those who haven’t got that date burned into their brains, that’s when the General Data Protection Regulation comes into force).
Further concerns must be addressed “at the latest at the second joint review”, which would be in September.
“In case no remedy is brought to the concerns of the WP29 in the given time frames,” the group continued, “the members of WP29 will take appropriate action, including bringing the Privacy Shield Adequacy decision to national courts for them to make a reference to the CJEU for a preliminary ruling.”
The group's concerns fall into two main areas: the commercial aspects of the deal and the national security implications for EU citizens.
On the commercial side, the WP29 called for more guidance for companies, details on the handling of HR data and automated decision-making and clarity on available recourse for data subjects.
On the national security side, the group said that, although there is more transparency, there's still room for improvement.
For instance, it said that it “regrets” that the report on Presidential Policy Directive 28 - which says surveillance activities need to safeguard personal information regardless of where the person resides - is still subject to Presidential privilege.
The group also suggested some improvements for US government to take into account as it battles to re-authorise the Foreign Intelligence Surveillance Act, which will expire at the end of the year.
“Instead of authorizing surveillance programs, section 702 [which allows US spies to search communications data] should provide for precise targeting, along with the use of the criteria such as that of “reasonable suspicion”, to determine whether an individual or a group should be a target of surveillance, subject to stricter scrutiny of individual targets by an independent authority ex-ante," the EU data protection bods opined.