Brussels, 13/04/2016 (Agence Europe) - Meeting in the Article 29 (G29) working group, the national personal data protection authorities have given a mixed opinion on the Privacy Shield - an arrangement for managing the transfer of data in the commercial sphere from the EU to the USA, and replacing the Safe Harbor arrangement that was invalidated by the European Court of Justice.
In its opinion, the Article 29 Group hails big improvements in the Privacy Shield compared with the previous arrangement. Its leader, Isabelle Falque-Pierrotin, stated that the G29's initial response on the Privacy Shield had been “positive”, with the arrangement responding to the majority of their requests (see EUROPE 11482). She said that there had been improvements in the definition of rights and recognition of the stakes of surveillance. While she said that it was still not enough, Falque-Pierrotin said the issue was at least now on the table.
The G29 has reservations about the access of US intelligence authorities to data which is managed, for example, by the giants Facebook and Google. This issue of data collection was one of the most salient points of the Court's ruling, according to which the Safe Harbor arrangements did not bring enough guarantees to Europeans (see EUROPE 11404).
The Privacy Shield arrangement would reportedly not respond fully to these interrogations. The six exceptions that have been maintained, allowing US authorities to access these data and collect them in bulk, are not detailed enough in the view of the G29, which considers them unacceptable.
Falque-Pierrotin said that they recognised the importance of data collection as part of the fight against terrorism but still rejected the mass and indiscriminate collection of data.
The G29 also has doubts on the real and effective independence of the ombudsperson who, within the US Trade Department, will have the task of managing disputes raised by European citizens (see EUROPE 11481). The agreement finalised by the European Commission and Washington at the end of February furthermore remains too hazy on a number of points and key definitions. In addition, the ways of appeal that Europeans could have in the US are considered complicated, with users unable to know whom they should address. As regards appeals, national regulators should remain the central points of contact, the G29 believes.
Responding quickly to the working group's demands for urgent clarification, the European commissioner in charge of the issue, Vera Jourova, said that the Commission would take account of these comments and would quickly integrate them into the agreement. She hopes to obtain the approval of European ministers at the end of May so that the Commission's adequacy decision might be applied from June.
For the Article 29 group, the alternative instruments to Safe Harbor (corporate binding rules and model clauses) can still be applied until the Privacy Shield arrangement is finalised.
On the strictly commercial part of the analysis, Falque-Pierrotin said that despite clear improvements, questions remained - for example, on the re-use of data for other purposes or their transfer to third countries. She added that the level of protection offered on this would have to be assessed.
The European regulators call for a revision clause for the agreement in two years, especially when the European package on the reform of data protection rules is in force. The Privacy Shield is indeed based on the standards of the current 1995 directive, Falque-Pierrotin stated.
The weaknesses underlined by the European regulators are not of a nature to hinder the whole process or to disrupt the adoption of the Privacy Shield, the DigitalEurope association for the defence of companies in the digital sector stated, pleased at the considerable progress observed by the G29.
According to BEUC (the European consumer organisation), the new arrangement has failed the personal data protection test and the G29's opinion proves this. Like the data protection authorities, BEUC has repeatedly underlined numerous shortcomings in the Privacy Shield for the protection of private life: an opaque system for European citizens in search of repair, the lack of an independent data protection authority in the USA, the weakening of data protection principles such as the limit on the end purpose of the data, and the lack of a time limit for companies keeping data. (Original version in French by Solenn Paulic)