The European Data Protection Supervisor (EDPS) has said a data transfer pact between the EU and US needs “significant improvements”.
The EU-US Privacy Shield agreement was supposed to safeguard EU citizens’ personal information when stored in the US.
The agreement was designed to replace the Safe Harbour pact, which the EU Court of Justice ruled invalid in 2015.
But the EDPS Giovanni Buttarelli warned Privacy Shield was “not robust enough”.
“I appreciate the efforts made to develop a solution to replace Safe Harbour but the Privacy Shield as it stands is not robust enough to withstand future legal scrutiny,” he wrote in a statement.
Mr Buttarelli’s statement does not mean the agreement will be scrapped, but his concerns echo those expressed by European privacy regulators in April.
The Privacy Shield agreement, negotiated by the US and the European Commission, was intended to be ratified in June.
What was Safe Harbour?
Safe Harbour referred to an agreement struck between the European Union and United States, designed to provide a “streamlined and cost-effective” way for US firms to get data from Europe without breaking EU rules. It was introduced in 2000.
The EU forbids personal data from being transferred to and processed in parts of the world that do not provide “adequate” privacy protections.
Safe Harbour allowed US companies to self-certify that they had taken the necessary steps to protect data, to avoid having to seek permission for each new type of transfer.
Why was Safe Harbour scrapped?
In 2013, Edward Snowden revealed details about a surveillance scheme operated by the NSA called Prism.
It was alleged the agency had gained access to data about Europeans and other foreign citizens stored by the US tech giants.
Privacy campaigner Max Schrems asked the Irish Data Protection Commission to audit what material Facebook might be passing on. The watchdog declined saying the transfers were covered by Safe Harbour.
When Mr Schrems contested the decision, the matter was referred to the European Court of Justice, which ruled Safe Harbour inadequate.
What is Privacy Shield?
In February 2016, the EU and US agreed a new pact to make it easy for organisations to transfer data across the Atlantic.
Key points of the agreement are:
- The US will create an ombudsman to handle complaints from EU citizens about the Americans spying on their data
- The US Office of the Director of National Intelligence will give written commitments that Europeans’ personal data will not be subject to mass surveillance
- The EU and US will conduct an annual review to check the new system is working properly
However, the agreement has been criticised by European privacy watchdogs.
In April, the Article 29 Data Protection Working Party said it was still concerned about the possibility of “massive and indiscriminate” bulk collection of EU citizens’ data by the US authorities.
Mr Buttarelli has echoed those concerns.
“Significant improvements are needed… to respect the essence of key data protection principles,” he wrote.
In a statement, the EDPS said the Privacy Shield agreement needed to provide “adequate protection against indiscriminate surveillance” and “obligations on oversight, transparency, redress and data protection rights”.