Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

Privacy Shield Heavily Criticized by European Regulators

News via a German leak concerning European regulators’ attitudes towards Privacy Shield was published last week with the headline, “EU-US Privacy Shield in big trouble, may not pass muster…” British lawyer David Flint commented, “Of course it won’t pass muster; it’s a political expedient and doesn’t address any of the issues of the CJEU decision in Schrems.” Both were right.

News via a German leak concerning European regulators’ attitudes towards Privacy Shield was published last week with the headline, “EU-US Privacy Shield in big trouble, may not pass muster…” British lawyer David Flint commented, “Of course it won’t pass muster; it’s a political expedient and doesn’t address any of the issues of the CJEU decision in Schrems.” Both were right.

Privacy Shield is the proposed replacement for the US/EU Safe Harbor agreement struck down as unconstitutional by the European Court of Justice last year.

When Privacy Shield was announced by both the European Commission and the US Dept of Commerce in early February, both described it in glowing terms as satisfactory and effectively a done deal. But according to the Schrems ruling, the EC cannot impose its opinions on the national regulators. If it couldn’t do so with Safe Harbor, it cannot do so with Privacy Shield.

So, key to Privacy Shield being a usable agreement for American companies holding European PII will be approval from the national regulators (known as the Article 29 Working Party, A29WP). Today A29WP published its formal ‘Opinion‘. While couched in the usual diplomatic language, it simply is not happy with the current form of Privacy Shield.

David Flint, a senior partner at MacRoberts LLP, told SecurityWeek, “While it appears that Privacy Shield is seen by the A29WP as an improvement on Safe Harbor, they note that it still contains significant lacunae in the protections offered and the continuing concerns of mass data gathering and surveillance.”

Mass surveillance (by the NSA) is the headline grabber. The Schrems decision made a specific point of it; and the regulators do not think that Privacy Shield sufficiently addresses it. Privacy professionals and activists are delighted. “The most significant [part of the Opinion] was their stance that Privacy Shield text still allows for the mass surveillance and bulk data collection of EU Citizens’ personal information, stating that this was ‘unacceptable’,” said Alexander Hanff of Think Privacy Inc in a telephone conversation.

Advertisement. Scroll to continue reading.

This is a problem for American companies since they have no control over the NSA. The European court simply assumes that the NSA has access to European data, and is given access to European data. That in itself is a breach of European law.

This Article 29 Opinion is not binding on the European Commission. Nevertheless, Hanff pointed out that the regulators “feel emboldened by the” by the Schrems decision.

Flint added, “The Opinion must be seen as ready ammunition for the inevitable litigation should the Commission adopt Privacy Shield. With all the failings which the WP have identified, the United States can hardly be held to provide equivalent protection to Member States. And that is even without the extra protections for EU citizens in GDPR, expected tomorrow.”

One feature that could be easily missed in the Opinion is that the Working Party is not simply criticizing the NSA over mass surveillance. It states, “With regard to access to data by public authorities, both in the EU and in third countries..” It later adds, “the WP29 looks to the forthcoming rulings of the CJEU in cases regarding massive and indiscriminate data collection.” This likely refers to current issues against organizations like GCHQ.

Hanff told SecurityWeek, “Furthermore, the A29 Working Party fired a shot across the bow of other EU Countries with regards to their own surveillance activities – a shot which should be of particular importance to the French, British, Belgian and Polish governments.”

The Opinion does not kill off Privacy Shield by itself; but it does say that the regulators are not happy, and implies that if the Commission proceeds with it unchanged, they can and will kill it off via the courts. The short term solution offered to American companies wishing to export European personal data is to rely on Binding Corporate Rules (BCRs) that satisfy European Laws. This is not a long term solution, but the Working Party says it will not make a decision on BCRs until the EU has formally decided on Privacy Shield.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.