European data protection supervisor says Privacy Shield not robust enough

Giovanni Buttarelli said the European Commission needs to develop a longer-term solution for sharing data across continents

The European data protection supervisor has published a report, saying Privacy Shield is not robust enough to withstand sharing of data across the world.

Giovanni Buttarelli said a number of changes need to be made in order for data to be shared reliably between countries without it putting that data or others' privacy at risk.

Advertisement - Article continues below

He said any solution used to replace Safe Harbour must provide "adequate" protection against surveillance by authorities and should be transparent, allowing

Any new legislation should also take into account data protection rights already considered by both governments and private companies in Europe. This is particularly important as the new General Data Protection Regulation (GDPR) is set to come into force in May 2018.

The European Commission needs to ensure that anything introduced to replace Safe Harbour adheres to guidelines set out in the new European legislation so there is no confusion between parties sharing data.

"I appreciate the efforts made to develop a solution to replace Safe Harbour but the Privacy Shield as it stands is not robust enough to withstand future legal scrutiny before the Court," Buttarelli said in a statement.

"Significant improvements are needed should the European Commission wish to adopt an adequacy decision, to respect the essence of key data protection principles with particular regard to necessity, proportionality and redress mechanisms. Moreover, it's time to develop a longer term solution in the transatlantic dialogue."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

13/04/2016: Europe data watchdogs find flaws in Privacy Shield

Europe's data protection authorities have called for urgent amendments to Privacy Shield, the proposed agreement to safeguard EU data transferred to the US.

The watchdogs, who form the Article 29 Working Party, do not believe the legislation is up to scratch, identifying several changes they believe need to be made.

The group is still concerned about US agencies undertaking mass surveillance on European citizens' data, after Privacy Shield's predecessor, Safe Harbour, being scrapped because it was not deemed to protect personal data adequately.

Privacy Shield would rely on assurances from the US government that it would not spy indiscriminately on EU data, but the Article 29 Working Party does not think these are enough.

It also called into question the impartiality of Privacy Shield's proposed ombudsperson, a US position that would be responsible for tackling EU citizens' complaints about misuse of their data.

Advertisement - Article continues below

The group's chairwoman, Isabelle Falque-Pierrotin, said (via the BBC): "We believe that we don't have enough security [or] guarantees in the status of the ombudsperson and in their effective powers to be sure that this is really an independent authority."

However, it called the document a "great step forward" compared to Safe Harbour, reported Ars Technica.

While the Working Party's conclusion does not mean the European Commission cannot approve Privacy Shield, its findings could become the basis of future legal challenges if the Commission decides not to address them.

It comes after both Microsoft and Box endorsed Privacy Shield, though Box admitted it does not plan to rely on it, exploring alternatives like binding corporate rules as ways to transfer EU data outside of the US securely. 

The watchdogs' conclusions should be published online later today.

Advertisement

Recommended

Visit/policy-legislation/data-protection/355184/supreme-court-finds-morrisons-was-not-liable-for-2014
data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020
Visit/security/privacy/355048/government-may-trace-covid-19-patients-using-mobile-phone-data
privacy

UK government may trace COVID-19 patients using mobile phone data

20 Mar 2020
Visit/policy-legislation/general-data-protection-regulation-gdpr/354842/irish-data-regulator-racks-up
General Data Protection Regulation (GDPR)

Irish data regulator racks up GDPR cases against Big Tech

24 Feb 2020
Visit/data-insights/data-management/354423/eu-us-data-transfer-tools-used-by-facebook-ruled-legal
data management

EU-US data transfer tools used by Facebook ruled legal

19 Dec 2019

Most Popular

Visit/development/application-programming-interface-api/355192/apple-buys-dark-sky-weather-app-and-leaves
application programming interface (API)

Apple buys Dark Sky weather app and leaves Android users in the cold

1 Apr 2020
Visit/data-insights/data-management/355170/oracle-cloud-courses-are-free-during-coronavirus-lockdown
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020
Visit/business-strategy/flexible-working/355186/why-were-lucky-covid-19-has-come-now
flexible working

Why we’re lucky COVID-19 has come now

3 Apr 2020