Privacy Shield Heavily Criticized by European Regulators

News via a German leak concerning European regulators’ attitudes towards Privacy Shield was published last week with the headline, “EU-US Privacy Shield in big trouble, may not pass muster…” British lawyer David Flint commented, “Of course it won’t pass muster; it’s a political expedient and doesn’t address any of the issues of the CJEU decision in Schrems.” Both were right.

Privacy Shield is the proposed replacement for the US/EU Safe Harbor agreement struck down as unconstitutional by the European Court of Justice last year.

When Privacy Shield was announced by both the European Commission and the US Dept of Commerce in early February, both described it in glowing terms as satisfactory and effectively a done deal. But according to the Schrems ruling, the EC cannot impose its opinions on the national regulators. If it couldn’t do so with Safe Harbor, it cannot do so with Privacy Shield.

So, key to Privacy Shield being a usable agreement for American companies holding European PII will be approval from the national regulators (known as the Article 29 Working Party, A29WP). Today A29WP published its formal ‘Opinion‘. While couched in the usual diplomatic language, it simply is not happy with the current form of Privacy Shield.

David Flint, a senior partner at MacRoberts LLP, told SecurityWeek, “While it appears that Privacy Shield is seen by the A29WP as an improvement on Safe Harbor, they note that it still contains significant lacunae in the protections offered and the continuing concerns of mass data gathering and surveillance.”

Mass surveillance (by the NSA) is the headline grabber. The Schrems decision made a specific point of it; and the regulators do not think that Privacy Shield sufficiently addresses it. Privacy professionals and activists are delighted. “The most significant [part of the Opinion] was their stance that Privacy Shield text still allows for the mass surveillance and bulk data collection of EU Citizens’ personal information, stating that this was ‘unacceptable’,” said Alexander Hanff of Think Privacy Inc in a telephone conversation.

This is a problem for American companies since they have no control over the NSA. The European court simply assumes that the NSA has access to European data, and is given access to European data. That in itself is a breach of European law.

This Article 29 Opinion is not binding on the European Commission. Nevertheless, Hanff pointed out that the regulators “feel emboldened by the” by the Schrems decision.

Flint added, “The Opinion must be seen as ready ammunition for the inevitable litigation should the Commission adopt Privacy Shield. With all the failings which the WP have identified, the United States can hardly be held to provide equivalent protection to Member States. And that is even without the extra protections for EU citizens in GDPR, expected tomorrow.”

One feature that could be easily missed in the Opinion is that the Working Party is not simply criticizing the NSA over mass surveillance. It states, “With regard to access to data by public authorities, both in the EU and in third countries..” It later adds, “the WP29 looks to the forthcoming rulings of the CJEU in cases regarding massive and indiscriminate data collection.” This likely refers to current issues against organizations like GCHQ.

Hanff told SecurityWeek, “Furthermore, the A29 Working Party fired a shot across the bow of other EU Countries with regards to their own surveillance activities – a shot which should be of particular importance to the French, British, Belgian and Polish governments.”

The Opinion does not kill off Privacy Shield by itself; but it does say that the regulators are not happy, and implies that if the Commission proceeds with it unchanged, they can and will kill it off via the courts. The short term solution offered to American companies wishing to export European personal data is to rely on Binding Corporate Rules (BCRs) that satisfy European Laws. This is not a long term solution, but the Working Party says it will not make a decision on BCRs until the EU has formally decided on Privacy Shield.