European privacy watchdogs unhappy with draft EU-US data transfer deal

If you were under the impression that a new data transfer agreement had been locked down between Europe and the US — to restore legal confidence in commercial data flows across the Atlantic — think again.

While the so-called EU-US Privacy Shield was announced by the European Commission back in February, after multiple years of negotiations between the EU and the US to agree a replacement data transfer mechanism, the details of the draft deal have since been being scrutinized by the national data protection authorities — who have yet to give it their blessing.

And while the WP29’s opinion on the Privacy Shield is not legally binding, a thumbs down from increasingly powerful national DPAs could fatally dent confidence in the agreement, leaving businesses to be saddled with legal uncertainty about how they can move European data to the US for processing. And the whole impetus behind the Privacy Shield is to offer confidence and certainty, replacing the now defunct Safe Harbor agreement — which lasted for some fifteen years and was being used by ~4,000 companies prior to being struck down last fall. So what the WP29 thinks here really matters.

This group of national privacy watchdogs, badged with awkward umbrella moniker the Article 29 Working Party (WP29), has today given what they say is their final assessment on the Privacy Shield — and that assessment is that, in its current form, the agreement is not clear or robust enough to gain their support. More work needs to be done to clarify portions of the agreement, said the CNIL French DPA’s Isabelle Falque-Pierrotin, although she also described the deal as a “major improvement” and “great step forward” over the prior Safe Harbor agreement.

Giving a press conference today, Falque-Pierrotin said the main concerns of the WP29 vis-a-vis Privacy Shield are the continued potential for European citizens’ data to be harvested in bulk via US mass surveillance programs, and the independence of an ombudsperson who would be appointed in the US to assess data-related complaints from European citizens.

“It’s a bit too early to come to a conclusion,” she told journalists, discussing the WP29’s position on the Privacy Shield. “We are waiting for the Commission to give its final word and once the final word is said, and once we have this final word, the last decision of the European court, all these elements, if needed we’ll be in a position to take decisions or to express, maybe, another position. But this is another step. We’re not [yet] there.

“The negotiations on the Shield are not finished. It is a dynamic and we are in a position to bring propositions to this dynamic and we hope we will be heard,” she added.  “The question that is behind our concerns is the legal robustness of the Shield.”

The original Safe Harbor data transfer deal was struck down by Europe’s top court back in October 2015, following a legal challenge brought by privacy campaigner Max Schrems on the grounds that US government mass surveillance programs were violating Europeans’ fundamental privacy rights. The court agreed with the challenge, invalidating Safe Harbor and leaving companies that had been relying on it to govern EU-US data transfers to fall back on alternative mechanisms, such as binding corporate rules and standard contractual clauses.

The WP29 today said those alternative transfer mechanisms could still continue to be used by businesses while the uncertainty around a new overarching EU-US data transfer mechanism continues — albeit the legality of those mechanisms has also been questioned, on the same grounds of whether or not they provide an elusive ‘essential equivalence’ level of protection for Europeans’ data once it is in the US.

The Privacy Shield provides for a swathe of exceptions whereby US can perform bulk collection (or “generalized access”, as it was euphemistically referred to by the EC commissioner leading the negotiations to secure a new deal) of European data — such as where “tailored and targeted access is not technically or operationally possible; or if they see some very dangerous trend that needs more than targeted access” — and these exceptions are evidently too broad for the WP29 to be confident the Privacy Shield would stand up to a future legal challenge. Schrems himself has also previously expressed the same concern.

Earlier this month leaks from the German DPAs suggested the WP29 was not happy with the shape of the current deal. The clear risk, then, is for national DPAs to support future challenges to the deal — leading to continued uncertainty about the legal status of EU-US data transfers. Which is pretty much where things stand now. National DPAs also have the power to suspend particular data transfers — posing a clear operational risk to, for example, cloud businesses that rely on being able to upload and process user data on servers located in the US.

Also today the WP29 said it wants the Privacy Shield to be reviewed in two years’ time, when a new general data protection regulation — the GDPR — is due to come into force. The new directive tightens Europe’s data protection rules, and includes stiffer penalties for companies breaching the rules.

Meanwhile, the timetable for a final EC decision on the Privacy Shield — assuming the Commission carries on pushing ahead with the agreement — is slated for mid-June. Individual European Union member states will also need to agree the mechanism.

Commenting following the WP29’s press conference, Schrems said the group’s downbeat assessment of the draft agreement makes a legal challenge to Privacy Shield more likely to succeed. “I personally doubt that the European Commission will change its plans much. There will be some political wording, but I think they will still push it through. Given the negative opinion, a challenge to the Privacy Shield at the Courts is even more promising. Privacy Shield is a total failure, that is kept alive because of extensive pressure by the US government and some sectors of the industry,” he said.

Update: The WP29 has now published its statement on the draft agreement, setting outs its concerns in detail — including commercial concerns that data protection principles set out within the agreement still fall short of European standards, and that redress mechanisms for European citizens are too complex, along with additional concerns focused on public authorities’ access to transferred data.

On the latter point it flags its “longstanding position that massive and indiscriminate surveillance of individuals can never be considered as proportionate and strictly necessary in a democratic society, as is required under the protection offered by the applicable fundamental rights”, adding: “The WP29 takes note that there is a tendency to collect ever more data on a massive and indiscriminate scale in the light of the fight against terrorism. Given the concerns this brings for the protection of the fundamental rights to privacy and data protection, the WP29 looks to the forthcoming rulings of the CJEU in cases regarding massive and indiscriminate data collection.”