Europe’s privacy watchdog rejects Privacy Shield as not robust enough

31 May 2016

The Privacy Shield to protect EU citizens'data as it is handled by US firms is not robust enough, the EU's privacy watchdog has warned

The European Data Protection Supervisor Giovanni Buttarelli has rejected the EU-US Privacy Shield agreement in its current form, warning that it needs significant improvements and gaps to be filled concerning how US companies handle EU citizens’ data.

On 2 February, the European Commission published a statement confirming that it and the US had agreed, in principle, a new framework for EU-US data transfers, dubbed the EU-US Privacy Shield.

The Privacy Shield placed new obligations on US companies when it came to the handling of EU citizens’ personal data and established a position of ombudsman to handle complaints, among a number of measures.

This came in the wake of the EU’s highest court, the Court of Justice of the European Union (CJEU), declaring the longstanding EU-US data transfer framework Safe Harbour to be invalid.

Privacy Shield raises concerns

However, Buttarelli has said the proposed remedies under Privacy Shield raise concerns.

“I appreciate the efforts made to develop a solution to replace Safe Harbour but the Privacy Shield as it stands is not robust enough to withstand future legal scrutiny before the Court.

“Significant improvements are needed should the European Commission wish to adopt an adequacy decision, to respect the essence of key data protection principles with particular regard to necessity, proportionality and redress mechanisms.

“Moreover, it’s time to develop a longer-term solution in the transatlantic dialogue.”

Butterelli said that for Privacy Shield to be effective it must provide adequate protection against indiscriminate surveillance as well as obligations on oversight, transparency, redress and data protection rights.

With the new General Data Protection Regulation (GDPR) to be fully implementable across the EU in May 2018, Buttarelli  points out that it will be applicable to all data-protection-related matters, including transfers of data.

He said he has reflected on concerns shared by MEPs, industry, academics and civil society, and an adequate long-term solution is required.

He said that international companies supplying goods and services in the EU should be absolutely clear about all the rules they must comply with.

“In the EU we do not discriminate on the basis of nationality,” Buttarelli said. “Key data protection principles must be covered in the Privacy Shield for it to offer essential equivalence between EU-US law.”

In an opinion document posted yesterday, Buttarelli made a number of recommendations aimed at filling the gaps in the current Privacy-Shield proposals, including better integration of all main EU data protection principles, in particular, onward transfers of data, the right to access and the right to object.

He also recommended improved redress and oversight recommendations.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years