Regulators reject EU-US Privacy Shield deal

Data regulators that make up the Article 29 working group have criticised the Privacy Shield safe harbour revamp proposed by the European Commission.

Criticism surrounds the lack of surveillance protection from the US government for EU citizens’ data. Article 29 is also concerned about the strength and independence of the US ombudsman, which will deal with European complaints.


Indiscriminate data collection

The EU-US Privacy Shield was agreed in February after two years of negotiations. The agreement should allow companies to transfer EU citizens’ data for processing or storage within the US, replacing the previous agreement that was invalidated by the European court of justice after it ruled the agreement did not have “adequate” privacy protections inline with those of the EU.

The Privacy Shield limits what the US government can and can’t do with data across six purposes such as counterterrorism and cybersecurity.

Paul Breitbarth, representing the working party, said: “We think the limits are still very broadly defined and can’t count as targeted data collection, so for us it’s still indiscriminate and mass data collection.”


Not legally binding

The Article 29 Working Party’s opinion is not binding on the European Commission, but it is highly influential and reports suggest that rejection of the Privacy Shield would almost certainly lead to a legal challenge, meaning the whole process would be back to square one.

In its formal response the influential group did appear to leave the door ajar for the agreement, suggesting that it will wait to see the result of two related reviews: one by the Article 31 Committee – whose recommendations are binding – and another by the ECJ over the legality of the UK’s surveillance efforts by listening post GCHQ.

These, along with the revised EU data protection rules expected soon, which may impact the legality of Privacy Shield, mean the matter is likely to rumble on.

Related reading