The new ‘Privacy Shield’ data sharing agreement between the United States and European Union may not be adequate, according to leaked documents from key data protection watchdogs.
The transatlantic Safe Harbour 2.0 agreement (or EU-US Privacy Shield) was finally agreed in early February to replace the previous Safe Harbour legislation that was ruled invalid by a European court on 6 October last year.
After much wrangling and worry, the new agreement was thrashed out between EU and American officials.
But leaked extracts seem to suggest that key European data regulators have their doubts about the new deal, and will not support it in its current form.
The blog of a lawyer and privacy expert Dr. Carlo Piltz first spotted the leaked PDF extract after the German Data Protection Authorities (DPAs) met to discuss several current privacy topics.
These DPAs provided a hyperlink to a PDF file (since deleted) containing the initial assessment of the agreement by the European Data Protection Authorities (the so called “Article 29 Working Party”).
“Until these issues are addressed, the WP29 considers it is not in a position to reach an overall conclusion on the draft adequacy decision,” the extract states.
It stresses that some of the clarifications and concerns – in particular relating to national security – may also impact the viability of the other transfer tools.
“Therefore, the WP29 is not yet in a position to confirm that the current draft adequacy decision does, indeed, ensure a level of protection that is essentially equivalent to that in the EU,” it concludes.
This is a very serious conclusion indeed, as it suggests the new agreement does not meet current European data protection levels, and therefore the new data sharing agreement will not stand up to a legal challenge in the courts.
It should be noted that although WP29 only issues recommendations, it is influential as its members enforce data protection across Europe, and the European Commission has asked for its expert guidance on the new pact.
The group is expected to reach a conclusion by the end of April, but WP29 is known to have concerns about the legality of transfer mechanisms, in light of US intelligence agencies’ access to European citizens’ data.
“These excerpts show that the European Data Protection Authorities are not able to okay the draft adequacy decision by the European Commission,” blogged Berlin-based Dr. Piltz.
But he noted that the opinion of WP29 is not legally binding and “a result would not necessarily stop the whole the EU-US Privacy Shield from becoming effective.”
What do you know about privacy? Try our quiz!