Privacy Shield still not good enough, warn EU data protection authorities

Lack of clarity and inadequate redress mechanism criticised by Article 29 Working Party

The Privacy Shield, the deal agreed between the European Union and the US to replace Safe Harbour, still is not good enough, according to EU data protection authorities.

The Article 29 Working Party, the umbrella group of EU national data protection authorities, believes that while an improvement on Safe Harbour, its protections still aren't good enough. In particular, while the new redress mechanism is welcome, in practice the group believes it may not be practical and, therefore, will prove ineffective.

In addition, the Working Party is concerned that the Privacy Shield will do little to counter the risk of "massive and indiscriminate collection of personal data originating from the EU" - even if that is a-okay when EU governments do it.

"Overall, the Working Party welcomes the significant improvements brought by the Privacy Shield compared to the Safe Harbour decision. In particular, the insertion of key definitions, the mechanisms set up to ensure the oversight of the Privacy Shield list and the now mandatory external and internal reviews of compliance are a positive step forward," they say in their statement.

"However, the Working Party has strong concerns #mce_temp_url#on both the commercial aspects and the access by public authorities to data transferred under the Privacy Shield."

These include "an overall lack of clarity", their opinion that some key EU data protection principles are absent from the Privacy Shield agreement "or have been inadequately substituted by alternative notions", and the lack of wording covering automated processing.

"Because the Privacy Shield will also be used to transfer data outside the US, the WP29 [Article 29 Working Party] insists that onward transfers from a Privacy Shield entity to third country recipients should provide the same level of protection on all aspects of the Shield (including national security) and should not lead to lower or circumvent EU data protection principles," argues the Working Party.

It goes on to express concern that the online collection of data for commercial purposes could be mixed up with the collection of data by the authorities in their fight against terrorism. The establishment of an Ombudsman may help, the Working Party suggests, but "this new institution is not sufficiently independent and is not vested with adequate powers to effectively exercise its duty and does not guarantee a satisfactory remedy in case of disagreement," it warns.