Giovanni Buttarelli, the European Data Protection Supervisor(EDPS) has issued a statement which argues that the Privacy Shield deal, which was negotiated between the EU and the US earlier this year, is inadequate to protect the privacy rights of EU citizens. Privacy Shield was hastily negotiated as a replacement for the Safe Harbor deal which was overturned by the European Court of Justice(ECJ) last year.
Both deals allow for the routine transfers of personal information between the EU and the US. These sorts of transfers are done every day by companies like Facebook and Google, in order to store information about their European users on servers located in America. The Safe Harbor deal came under fire when concerns were raised that data stored on American servers was subject to indiscriminate searches by the NSA. The ECJ found that Safe Harbor did not provide judicial protection to EU citizens against unlawful searches by US agencies and did not provide any way to seek redress after the fact if their privacy was violated.
In order to deal with the concerns of the ECJ, Privacy Shield contains new protections to prevent EU citizens from having their privacy violated. These include the creation of an ombudsman to handle complaints by EU citizens that they are being spied on by American agencies. The US Director of National Intelligence will also give written assurances that EU citizens will not be subject to mass surveillance. The EU and the US will also conduct an annual review to make sure the system is working properly.
Even with these changes, the EDPS was still not satisfied with the Privacy Shield deal. Buttarelli states, "I appreciate the efforts made to develop a solution to replace Safe Harbour but the Privacy Shield as it stands is not robust enough to withstand future legal scrutiny before the Court." The statement goes on to say, "For the Privacy Shield to be effective it must provide adequate protection against indiscriminate surveillance as well as obligations on oversight, transparency, redress and data protection rights."
Buttarelli's comments echo those made by a panel of EU privacy regulators in April. The panel also criticized Privacy Shield and in particular raised concerns over the lack of authority and independence of the ombudsman that is created by the deal. Neither the panel nor the EDPS can actually stop the deal from being ratified, they can do little more than issue statements and recommendations. However, the deal is likely to face a legal challenge sooner or later and the ECJ may take their criticisms into consideration when making it rulings. If the EU Commission wants a deal that can survive a legal challenge, they may have to negotiate a stronger deal.