Art.29 Working Group says Privacy Shield falls short

Privacy Shield still doesn't adequately address the issue that spelt certain doom for its predecessor, bulk collection.

It appears as though Privacy Shield is neither as private or as shielding as the Working Group would have hoped
It appears as though Privacy Shield is neither as private or as shielding as the Working Group would have hoped

The Privacy Shield forged by the EU and the US earlier this year shows progress but still doesn't adequately address the issue that got Safe Harbour tossed by a European Court of Justice – the bulk collection of data on private citizens, a  group of data privacy regulators known as the Article 29 Working Party said in an much-anticipated opinion handed down Wednesday.

“It's not a surprise because I believe Privacy Shield [somehow] is lacking, but [rather] I'm not surprised because of the way it has been playing out in public,” Aaron Tantleff,  intellectual property partner at law firm Foley & Lardner LLP, told SCMagazine.com. “Look at why Safe Harbour was rejected,” he said, noting that mass surveillance was the “cornerstone” of the European court's rejection and if that concern is still not addressed by Privacy Shield then groups like Art.29 WG are going to take issue with it.

Criticism of the agreement hammered out in response to a European Court of Justice's rebuff of Safe Harbour came as no surprise, since excerpts from the Art.29 WP opinion leaked late last week clearly indicated that the group wasn't prepared to embrace Privacy Shield without some significant modifications.

The regulators put forth a number of recommendations that they would like to see in the final version of Privacy Shield, including, Tantleff said, a review in two years to see how the pact gibes with the General Data Protection Regulation (GDPR) set to be in effect by then and clarification of the role of an ombudsman to be appointed by the US.

The Information Technology and Innovation Foundation (ITIF) were disappointed by the outcome. ITIF vice president, Daniel Castro told SC that, "the new agreement offers a host of new protections, obligations, and opportunities for redress that affirm the commitment of the U.S. government to safeguard European data and respect the rights of European citizens. Moreover, the agreement has achieved widespread support on both sides of the Atlantic from many policymakers, businesses, and advocacy groups for offering an opportunity to move forward after the European Court of Justice invalidated the Safe Harbor agreement in the Schrems decision."

Privacy Shield in its current form is not quite up to scratch according to Deema Freij, global privacy officer at Intralinks. In it's current form, its "too informal in certain respects, and not adequate enough to protect the personal data of EU citizens being transferred to the United States at the moment." 

But perhaps even more worrying is the possibility that Privacy Shield might suffer the same fate as its predecessor: "if the EU Commission and the U.S. bodies do not take the opinion of the Article 29 Working Party seriously, Privacy Shield is more likely to be challenged in the higher European courts in the near future, especially if the Max Schrems case is anything to go by. Then we're back to square one."

Still, all is not lost for businesses added Freij: "After the demise of Safe Harbour, companies realised it's good to have back-up plans should one legal route be shut off.  EU Model Clauses and Binding Corporate Rules (BCRs) are still seen as legitimate alternatives to the Privacy Shield according to today's announcement. At the moment, businesses have switched - or are switching - to EU Model Clauses so they are able to transfer personal data to the US - and they can continue to use these in spite of the decision today."

Elodie Dowling VP for EMEA general counsel at BMC Software agreed, telling SC that "The BCRs represent the most comprehensive global data protection and privacy framework in the world and are in compliance with the most rigorous EU laws."

Dowling added, "BCRs remain by far the only tool which requires a complete change of DNA in terms of how a company as a group handles its own and its customers' personal data. Considering the current environment of scepticism, it is the only way forward to drive up levels of confidence and compliance for businesses across both sides of the Atlantic."

Stay tuned to SCMagazineUK.com for more updates on the development of Privacy Shield.