European privacy regulators said on Wednesday a new commercial data transfer pact between the European Union and the United States needed to provide more reassurance over US surveillance practices and the independence of a new US privacy ombudsman.
The lukewarm reception of the EU-US Privacy Shield, agreed in February after two years of talks, did little to clear up the legal limbo in which companies have conducted cross-border data transfers since October when the EU's top court struck down the previous data transfer framework, Safe Harbour, on concerns about US mass surveillance practices.
The Privacy Shield is designed to help firms on both sides of the Atlantic to move Europeans' data to the United States without falling foul of strict EU data transfer rules.
European data protection authorities on Wednesday urged the European Commission - which negotiated the framework - to address their concerns in order for them to be able to establish that data transferred to the United States is afforded the same standard of protection as in Europe.
Isabelle Falque-Pierrotin, chair of the group of 28 data protection authorities, said an area of concern was "the possibility that is left in the Shield ... for bulk collection which if massive and indiscriminate is not acceptable." Washington has provided an explanation of the limits and safeguards applying to its surveillance programmes to try to appease European concerns.
But US agencies can still collect data in bulk and use it for six purposes, including counterterrorism or cybersecurity. "We think they are still very broadly defined and can't count as targeted data collection, so for us it's still indiscriminate and mass data collection," said Paul Breitbarth, representing the regulators. Falque-Pierrotin also said there were doubts about the effective powers and independence of the US ombudsman who will deal with EU complaints about US surveillance practices.
"We don't have enough security guarantees in the status of the ombudsperson and in the effective powers of this ombudsperson in order to be sure that this is really an independent authority," Falque-Pierrotin said. While non-binding, the opinion from the regulators is important because they enforce data protection law across the EU and can suspend specific data transfers. Falque-Pierrotin left open whether the regulators could in the future challenge other legal channels for data transfers, such as standard contractual clauses - contracts establishing privacy protections between groups - and binding corporate rules.
"The Working Party's position doesn't really help with removing the legal uncertainty around data transfers," said Wim Nauwelaerts, managing partner at law firm Hunton & Williams. "As a result of this, many businesses will find themselves between a rock and hard place."
The Commission said it would work swiftly to include the regulators' recommendations in the final decision, which it hopes to adopt in June. Cross-border data transfers are used in many industries for sharing employee information, and consumer data is shared to complete credit card, travel or e-commerce transactions, or to target advertising based on customer preferences.
Falque-Pierrotin said the Privacy Shield brought a number of improvements compared with Safe Harbour, such as a clearer explanation of EU citizens' rights and means for redress and stricter rules on how companies can use data in the United States. The data protection authorities urged the Commission to review the Shield in two years when a stricter European data protection law comes into force. Member state representatives still have to approve the framework before it is formally adopted by the Commission.