While acknowledging that the recent Privacy Shield agreement governing online data flows between the U.S. and Europe contains “significant improvements” over the previous Safe Harbor framework that was invalidated by the European Court of Justice last year, a working party of European Union (EU) national data protection authorities voiced “strong concerns” this week about various aspects of the Privacy Shield that require “further clarification” before the agreement is ratified by the European Commission (EC) and by the EU’s 28 member states later this year.
Announced in February, the Privacy Shield bolsters data privacy protections outlined in the 2000 Safe Harbor accord by requiring U.S. companies to commit to “robust obligations on how personal data is processed and individual rights are guaranteed” when importing online personal data that originates in EU member states. While citing improvements over the previous Safe Harbor framework that include new definitions, oversight mechanisms, and mandatory compliance reviews, the EU Article 29 Working Group said it remains concerned with certain “commercial aspects” of the Privacy Shield that include “access by public authorities” to data transferred under the agreement. A spokeswoman for the working group (whose recommendations to the EC and to EU member states are considered non-binding) also said that redress principles outlined in the Privacy Shield “in practice may prove to be too complex [and] difficult to use for EU individuals” and further cautioned that the ombudsman established by the agreement may “not be sufficiently independent and . . . not vested with adequate powers to effectively exercise its duty.”
Meanwhile, a spokesman observed that a “large majority” of European Parliament members (whose recommendations are also non-binding) have voiced support for the rules outlined in the Privacy Shield. As he called on affected parties to quickly resolve any lingering issues, Information Technology and Innovation Foundation vice president Daniel Castro emphasized that, while members of the Article 29 Working Party “should continue to offer suggestions on how to strengthen” the Privacy Shield, the opportunity for improvement “should not preclude official approval.”