A panel of EU privacy watchdogs has demanded changes to a pact meant to govern cross-Atlantic data transfers.
The group urged the US and European Commission to revise and clarify several points in the proposed Privacy Shield agreement in order to safeguard EU citizens’ personal information.
The Privacy Shield is meant to replace an earlier data transfer pact called Safe Harbour.
Safe Harbour was invalidated by a court decision last year.
The Article 29 Data Protection Working Party said it was still concerned about the possibility of “massive and indiscriminate” bulk collection of EU citizens’ data by the US authorities.
It added that it wanted further guarantees about the powers a US official would have to handle complaints from EU citizens.
“We believe that we don’t have enough security [or] guarantees in the status of the ombudsperson and in their effective powers to be sure that this is really an independent authority,” said Isabelle Falque-Pierrotin, the chairwoman of the group.
The group’s recommendations are not binding on the EU or US, but should prove influential as the watchdogs can suspend data transfers they are concerned about.
The European Court of Justice effectively brought an end to Safe Habour in October when it ruled that the pact did not eliminate the need for local watchdogs to check that US firms were protecting Europeans’ data.
The agreement had been used for 15 years to allow American firms to self-certify that they were carrying out the necessary steps.
But a privacy campaigner challenged the process after whistleblower Edward Snowden revealed details about US authorities spying on foreign citizens’ data held in the country.
The EU privacy regulators are concerned that a similar challenge could be brought against the proposed Privacy Shield unless its language is toughened up.
Earlier in the week, Microsoft had endorsed Privacy Shield on the basis that the US could take “additional steps” to protect data at a later point.
One US-based lawyer expressed concern that the matter had not been resolved.
“The working party’s opinion today can really be summed up in two words: transatlantic chaos,” said Phil Lee from the law firm Fieldfisher.
“If the Privacy Shield doesn’t get adopted, countless US businesses will be left scratching their heads in wonder as to how they can continue to service their EU customers lawfully.
“The working party’s opinion creates a real problem for the commission. Does it go against the view of the working party and adopt the Privacy Shield anyway? Or does it go back to the drawing table with the US Department of Commerce and try to negotiate a better deal?”
An Edinburgh-based lawyer echoed his concern.
“The reality is that international transfers of data are vital to economic growth and there needs to be a pragmatic solution adopted by the courts, policy makers and data protection authorities to recognise this,” said Kathryn Wynn, a data protection expert at the law firm Pinsent Masons.
But Max Schrems – the campaigner who challenged Safe Harbour – welcomed the latest development.
“I personally doubt that the European Commission will change its plans much,” he said.
“There will be some political wording, but I think they will still push it through.
“Given the negative opinion, a challenge to the Privacy Shield at the courts is even more promising. Privacy Shield is a total failure that is kept alive because of extensive pressure by the US government and some sectors of the industry.”