European data protection supervisor says Privacy Shield not robust enough

Giovanni Buttarelli said the European Commission needs to develop a longer-term solution for sharing data across continents

The European data protection supervisor has published a report, saying Privacy Shield is not robust enough to withstand sharing of data across the world.

Giovanni Buttarelli said a number of changes need to be made in order for data to be shared reliably between countries without it putting that data or others' privacy at risk.

He said any solution used to replace Safe Harbour must provide "adequate" protection against surveillance by authorities and should be transparent, allowing

Any new legislation should also take into account data protection rights already considered by both governments and private companies in Europe. This is particularly important as the new General Data Protection Regulation (GDPR) is set to come into force in May 2018.

Advertisement - Article continues below
Advertisement - Article continues below

The European Commission needs to ensure that anything introduced to replace Safe Harbour adheres to guidelines set out in the new European legislation so there is no confusion between parties sharing data.

"I appreciate the efforts made to develop a solution to replace Safe Harbour but the Privacy Shield as it stands is not robust enough to withstand future legal scrutiny before the Court," Buttarelli said in a statement.

"Significant improvements are needed should the European Commission wish to adopt an adequacy decision, to respect the essence of key data protection principles with particular regard to necessity, proportionality and redress mechanisms. Moreover, it's time to develop a longer term solution in the transatlantic dialogue."

13/04/2016: Europe data watchdogs find flaws in Privacy Shield

Europe's data protection authorities have called for urgent amendments to Privacy Shield, the proposed agreement to safeguard EU data transferred to the US.

The watchdogs, who form the Article 29 Working Party, do not believe the legislation is up to scratch, identifying several changes they believe need to be made.

Advertisement - Article continues below

The group is still concerned about US agencies undertaking mass surveillance on European citizens' data, after Privacy Shield's predecessor, Safe Harbour, being scrapped because it was not deemed to protect personal data adequately.

Privacy Shield would rely on assurances from the US government that it would not spy indiscriminately on EU data, but the Article 29 Working Party does not think these are enough.

It also called into question the impartiality of Privacy Shield's proposed ombudsperson, a US position that would be responsible for tackling EU citizens' complaints about misuse of their data.

The group's chairwoman, Isabelle Falque-Pierrotin, said (via the BBC): "We believe that we don't have enough security [or] guarantees in the status of the ombudsperson and in their effective powers to be sure that this is really an independent authority."

Advertisement - Article continues below

However, it called the document a "great step forward" compared to Safe Harbour, reported Ars Technica.

While the Working Party's conclusion does not mean the European Commission cannot approve Privacy Shield, its findings could become the basis of future legal challenges if the Commission decides not to address them.

Advertisement - Article continues below

It comes after both Microsoft and Box endorsed Privacy Shield, though Box admitted it does not plan to rely on it, exploring alternatives like binding corporate rules as ways to transfer EU data outside of the US securely. 

The watchdogs' conclusions should be published online later today.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now


data management

EU-US data transfer tools used by Facebook ruled legal

19 Dec 2019

Arcserve UDP 9240DR review: Beef up your backups

4 Apr 2019

Most Popular

data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Microsoft Windows

Memes and Viking funerals: The internet reacts to the death of Windows 7

14 Jan 2020

Openreach offers free full-fibre installation for thousands of homes

14 Jan 2020

Microsoft to patch ‘extraordinarily serious’ cryptographic flaw

14 Jan 2020