The Privacy Shield trans-Atlantic data transfer arrangement is better than its predecessor, Safe Harbor, but still not good enough, European Union data protection authorities said Wednesday.
They want the European Commission improve the deal it has negotiated with U.S. authorities to ensure that EU citizens' personal information receives privacy protection equivalent to that of EU law when it is exported to the U.S.
The authorities have been examining Privacy Shield since it was unveiled in February, and announced the results of their study Wednesday.
The deal is too complex, they say, as it is composed of a collection of legal instruments, letters and annexes rather than a single, easily understandable document.
Furthermore, the measures it proposes are themselves too complex. For example, the avenues available for addressing complaints are too numerous, making it "difficult for the end user to find the right interlocutor," said Isabelle Falque-Pierrotin, chairwoman of the Article 29 Working Party, an umbrella organization for European DPAs.
As it stands, Privacy Shield fails to adequately reflect key data protection principles, Falque-Pierrotin said at a news conference in Brussels. Further, it contains no revision mechanism to cope with the wholesale change in European privacy law that is expected to happen in 2018 with the introduction of the General Data Protection Regulation. A draft of this text will go before the European Parliament for vote later this week.
The members of the Article 29 Working Party made clear that they will withhold their support for Privacy Shield until the Commission has addressed their concerns.
The Commission may not care: The Working Party's role is purely advisory, and it cannot enforce its will on the Commission.
However, its members could ask the Court of Justice of the EU to rule on Privacy Shield's legality.
The new data transfer arrangement became necessary last October, when the court ruled the legal protections of its predecessor, Safe Harbor, inadequate under EU law. That case, pitting Austrian citizen Max Schrems against the Irish Data Protection Commissioner, had been referred to it by the High Court of Ireland.
Schrems was quick to react to the DPAs' verdict on Privacy Shield.
“I personally doubt that the European Commission will change its plans much. There will be some political wording, but I think they will still push it through," he said via email.
But he was optimistic about the prospects of a legal challenge in the light of the DPAs' negative opinion, he said.
Lobby group the Computer & Communications Industry Association focused on the good news, hailing Falque-Pierrotin's remark that Privacy Shield was "a major improvement," and glossing over the DPAs' request for clarifications.
While the DPAs' doubts about Privacy Shield's legal robustness are bad news for businesses reliant on trans-Atlantic data transfers, there was some good news: Falque-Pierrotin said the working party will not publish its views on the legality of other mechanisms for data transfer until the fate of Privacy Shield is finalized.
It has been conducting a study of those mechanisms, binding corporate rules and model contract clauses, since the CJEU overturned the Safe Harbor Agreement in October, but has yet to publish its findings.
That's important, because if the working party were to torpedo all the data transfer mechanisms allowed under the EU's 1995 Data Protection Directive, there would be no legal way for businesses to transfer personal information from the EU to the U.S. That would pose serious problems for multinational businesses or service providers processing payroll for Europeans in the U.S., and could threaten operations for companies such as Google or Facebook, which would have to split their networks into European and non-European segments.
Many companies have switched to the alternative legal mechanisms, and their continued validity is essential if data is to continue to flow across the Atlantic, according to another industry lobby group, DigitalEurope.