Proposed EU–US “Privacy Shield” data transfer agreement dead in current form
Opinion by group of EU privacy regulators, concerned about bulk collection of personal data by US intelligence, casts doubt on legal viability of new framework.
As suggested by earlier leaks, European privacy regulators are rejecting the new “Privacy Shield” Data Transfer Agreement announced in February as insufficiently protective of personal data. That agreement was negotiated after court invalidation of the “Safe Harbor agreement,” which had been in place for years.
As reported yesterday in The Wall Street Journal, privacy regulators have issued a non-binding opinion that argues the new Privacy Shield arrangement doesn’t do enough to protect the data of European citizens that would flow to the US. Specifically, the group doesn’t like the continued prospect of bulk data collection by US intelligence:
A body representing national data-protection authorities in the EU’s 28 states said the trans-Atlantic deal, dubbed Privacy Shield, should include clearer limits on how US surveillance agencies conduct bulk collection of personal information for national security purposes to ensure that the accord conforms with EU privacy law.
While the group’s opinion is legally non-binding, it suggests future legal challenges to the agreement in its current form and potential liability for companies operating under Privacy Shield. It thus creates a cloud of uncertainty and all but kills the existing framework.
Businesses operating in Europe want clarity and certainty to proceed. One approach that sidesteps the need for a definitive replacement for the defunct Safe Harbor agreement involves locating servers in Europe and maintaining all EU-related data on the Continent.
The Privacy Shield agreement sought to provide a range of new privacy safeguards and assurances for Europeans, including the following:
- US companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed.
- The US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms.
- There must be effective protection of EU citizens’ rights: Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities.
It’s likely that Privacy Shield will be adjusted to address the regulators’ concerns about bulk data collection. I would anticipate some sort of amendment or modification given the growing pressure on both sides of the Atlantic to create a clear and viable legal framework for data transfers.