Adding another question mark to the EU-US Privacy Shield's future and on the heels of a European Parliament resolution calling for the two countries to renegotiate, European Data Protection Supervisor (EDPS) Giovanni Buttarelli said Monday that the agreement is ineffective and may crumble under the same scrutiny that brought down Safe Harbor.
While Buttarelli said the draft pact “showed a number of improvements” over its predecessor, he stressed that “progress compared to the earlier Safe Harbour Decision is not in itself sufficient.”
Aaron Tantleff, a lawyer in the privacy, security and information management practice at Foley & Lardner LLP, wasn't surprised by the EDPS's opinion. “There was a lot of concern that Privacy Shield failed to resolve many of the concerns that led to the invalidation of Safe Harbor,” Tantleff told SCMagazine.com via email. “While there was great support for the passage of Privacy Shield, given the impact it has on some of the largest global economies, the reality is that the ability for Privacy Shield to pass legal scrutiny in the current climate is all but impossible.”
The right “benchmark is not a previously invalidated decision,” Buttarelli said, offering what he termed “principled and pragmatic” advice to move the EU closer to its objectives and which complements some of the recommendations offered in Article 29 Working Party (WG29) opinion released earlier in the spring.
The EDPS recommended “integrating all the main data protection principles,” substantive details of which are omitted in the current Privacy Shield craft, and to better specify the exception to the pact's requirements.
He urged that derogations be limited. Not only does Privacy Shield allow limitations based on national security, law enforcement and public interest requirements, it also leaves room for limitations “if a statute, regulation or case law creates conflicting obligations or explicit authorizations, without any limitation on the purpose of such access.”
That's primary reason that Safe Harbor was invalidated by the European Court of Justice, whose decision also required “clear and precise rules limiting the scope and application of any interference with fundamental rights.”
The EDPS gave the nod to the “significant guidance” offered by Presidential Policy Directive 28 “against mass collection,” but said the directive allowed “the further processing of data collected in bulk to ‘facilitate targeted collection' and for at least six other purposes.”
Buttarelli also called for redress and oversight mechanisms to be improved. “As stated by the WP29, in order to improve the redress mechanism proposed in the national security area, the role of the Ombudsperson should also be further developed, so that she is able to act independently not only from the intelligence community but also from any other authority,” he said. “In practical terms, the possibility of reporting directly to Congress could be one option in this regard.”
He urged the EC to “seek more specific commitments that the requests for information and cooperation from the Ombudsperson, as well as her decisions and recommendations, will be effectively respected and implemented by all competent agencies and bodies.”
The EDPS gave the nod to the “significant guidance” offered by Presidential Policy Directive 28 “against mass collection,” but said the directive allowed “the further processing of data collected in bulk to ‘facilitate targeted collection' and for at least six other purposes.”
Buttarelli also called for redress and oversight mechanisms to be improved. “As stated by the WP29, in order to improve the redress mechanism proposed in the national security area, the role of the Ombudsperson should also be further developed, so that she is able to act independently not only from the intelligence community but also from any other authority,” he said. “In practical terms, the possibility of reporting directly to Congress could be one option in this regard.” He urged the EC to “seek more specific commitments that the requests for information and cooperation from the Ombudsperson, as well as her decisions and recommendations, will be effectively respected and implemented by all competent agencies and bodies.”
In addition to the material concerns that prompted those recommendations, “there were inconsistencies between Privacy Shield and GDPR [General Data Protection Regulation],” Tantleff said. “One of the concerns was that should Privacy Shield be implemented, it would only be temporary before changes would be required in order to address” GDPR's new data protection regulations, which apply to all matters data related, set to go into full effect in May 2018.
The opinion adds another nail to Privacy Shield's coffin, tossing its future into doubt.
“At this point, I find it highly unlikely that without further negotiation, or the EU backing off, that there is any chance of a successful implementation at this point,” said Tantleff. “There are too many shots being taken at Privacy Shield for it to have a chance.”
Criticism of the pact could force the U.S. and the U.K back to the negotiating table, something the Commerce Department has indicated it did not favor. “One must question whether this latest attack on Privacy Shield will force the U.S. back to the table, considering the value of the transatlantic trade was roughly $1 trillion in 2014,” said Tantleff, noting that Buttarelli's call “to craft a longer-term solution” just might be “the olive branch necessary to bring both parties to the table and see if there is a way to address the transatlantic transfer of data, but acknowledging that it will not be resolved in the coming days or weeks.”
Because “data is global and virtual” and becoming more difficult to “localize,” Tantleff called Privacy Shield critical. “Facing the growing uncertainty of the model contract clauses, organizations need a stable, valid method to transfer the data of EU citizens across the Atlantic,” he said. But he warned that organizations face a bumpy road until the shortcomings are hammered out.
“I doubt the ECJ will invalidate the model contract clauses until some greater certainty emerges around Privacy Shield or some other valid method of transfer is created,” he said.
While several of his firm's clients “that have data center and cloud computer deals coming up for renewal or negotiation are considering the localization of data in-country” that tactic will increase costs, “which will have to be passed along to their customers and business partners” and is an incomplete solution. “Thus, we still remain on high alert, but continue to move forward with business as usual, for now.”
