Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

Privacy Shield Heavily Criticized by European Regulators

News via a German leak concerning European regulators’ attitudes towards Privacy Shield was published last week with the headline, “EU-US Privacy Shield in big trouble, may not pass muster…” British lawyer David Flint commented, “Of course it won’t pass muster; it’s a political expedient and doesn’t address any of the issues of the CJEU decision in Schrems.” Both were right.

News via a German leak concerning European regulators’ attitudes towards Privacy Shield was published last week with the headline, “EU-US Privacy Shield in big trouble, may not pass muster…” British lawyer David Flint commented, “Of course it won’t pass muster; it’s a political expedient and doesn’t address any of the issues of the CJEU decision in Schrems.” Both were right.

Privacy Shield is the proposed replacement for the US/EU Safe Harbor agreement struck down as unconstitutional by the European Court of Justice last year.

When Privacy Shield was announced by both the European Commission and the US Dept of Commerce in early February, both described it in glowing terms as satisfactory and effectively a done deal. But according to the Schrems ruling, the EC cannot impose its opinions on the national regulators. If it couldn’t do so with Safe Harbor, it cannot do so with Privacy Shield.

So, key to Privacy Shield being a usable agreement for American companies holding European PII will be approval from the national regulators (known as the Article 29 Working Party, A29WP). Today A29WP published its formal ‘Opinion‘. While couched in the usual diplomatic language, it simply is not happy with the current form of Privacy Shield.

David Flint, a senior partner at MacRoberts LLP, told SecurityWeek, “While it appears that Privacy Shield is seen by the A29WP as an improvement on Safe Harbor, they note that it still contains significant lacunae in the protections offered and the continuing concerns of mass data gathering and surveillance.”

Mass surveillance (by the NSA) is the headline grabber. The Schrems decision made a specific point of it; and the regulators do not think that Privacy Shield sufficiently addresses it. Privacy professionals and activists are delighted. “The most significant [part of the Opinion] was their stance that Privacy Shield text still allows for the mass surveillance and bulk data collection of EU Citizens’ personal information, stating that this was ‘unacceptable’,” said Alexander Hanff of Think Privacy Inc in a telephone conversation.

This is a problem for American companies since they have no control over the NSA. The European court simply assumes that the NSA has access to European data, and is given access to European data. That in itself is a breach of European law.

This Article 29 Opinion is not binding on the European Commission. Nevertheless, Hanff pointed out that the regulators “feel emboldened by the” by the Schrems decision.

Flint added, “The Opinion must be seen as ready ammunition for the inevitable litigation should the Commission adopt Privacy Shield. With all the failings which the WP have identified, the United States can hardly be held to provide equivalent protection to Member States. And that is even without the extra protections for EU citizens in GDPR, expected tomorrow.”

One feature that could be easily missed in the Opinion is that the Working Party is not simply criticizing the NSA over mass surveillance. It states, “With regard to access to data by public authorities, both in the EU and in third countries..” It later adds, “the WP29 looks to the forthcoming rulings of the CJEU in cases regarding massive and indiscriminate data collection.” This likely refers to current issues against organizations like GCHQ.

Hanff told SecurityWeek, “Furthermore, the A29 Working Party fired a shot across the bow of other EU Countries with regards to their own surveillance activities – a shot which should be of particular importance to the French, British, Belgian and Polish governments.”

The Opinion does not kill off Privacy Shield by itself; but it does say that the regulators are not happy, and implies that if the Commission proceeds with it unchanged, they can and will kill it off via the courts. The short term solution offered to American companies wishing to export European personal data is to rely on Binding Corporate Rules (BCRs) that satisfy European Laws. This is not a long term solution, but the Working Party says it will not make a decision on BCRs until the EU has formally decided on Privacy Shield.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Expert Insights

Related Content

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Privacy

The EU's digital policy chief warned TikTok’s boss that the social media app must fall in line with tough new rules for online platforms...

Privacy

Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.

Privacy

Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Privacy

Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...