EU watchdogs have demanded revisions to a consumer data sharing deal with the US, intended to be a replacement for the long-running ‘Safe Harbour’ pact between the two regions.
The EU regulators are concerned about allegations the US authorities are spying on data held in local data centres.
The panel of EU privacy watchdogs has urged the US and European Commission to revise and clarify several points in the proposed ‘Privacy Shield’ agreement in order to safeguard EU citizens’ personal information.
The Privacy Shield is meant to replace an earlier data transfer pact called Safe Harbour, which was invalidated by a court decision last year.
The Article 29 Data Protection Working Party said it was still concerned about the possibility of “massive and indiscriminate” bulk collection of EU citizens’ data by the US authorities.
It added that it wanted further guarantees about the powers a US official would have to handle complaints from EU citizens.
“We believe that we don’t have enough security [or] guarantees in the status of the ombudsperson and in their effective powers to be sure that this is really an independent authority,” said Isabelle Falque-Pierrotin, the chairwoman of the group.
The group’s recommendations are not binding on the EU or US, but should prove influential as the watchdogs can suspend data transfers they are concerned about.
“I am grateful to the experts for their thorough analysis,” responded Vera Jourova, European Commissioner for Justice.
“[They provided] a number of useful recommendations and the Commission will work to swiftly include them in its final decision.”
The Safe Harbour agreement had been used for 15 years to let US firms self-certify that they were carrying out necessary steps to ensure consumer data is not abused.
But a privacy campaigner challenged the process after whistleblower Edward Snowden revealed details about US authorities spying on foreign citizens’ data held in the country.
The EU privacy regulators are concerned that a similar challenge could be brought against the proposed Privacy Shield unless its language is toughened up.
Earlier in the week, Microsoft had endorsed Privacy Shield on the basis that the US could take “additional steps” to protect data at a later point.
“The on-going debate to ratify the EU Privacy Shield agreement proves, once again, that global consumer-data privacy regulations are constantly evolving, making it very challenging for companies to maintain compliance,” says Patrick Salyer, CEO of Gigya, a leading customer identity management technology company. “The smartest companies will adopt a compliance strategy that offers agility for storing and protecting customer data regionally, while still sharing the data securely within the global enterprise.”