The European Data Protection Supervisor (EDPS) has demanded revisions to a consumer data sharing deal between the EU and the US, intended to be a replacement for the long-running ‘Safe Harbour’ pact between the two regions.
The EDPS said a data transfer agreement between the EU and US needs “significant improvements” warning that the Privacy Shield was “not robust enough”.
The Privacy Shield is meant to replace an earlier data transfer pact called Safe Harbour, which was invalidated by a court decision last year.
The Safe Harbour agreement had been used for 15 years to let US firms self-certify that they were carrying out necessary steps to ensure consumer data is not abused.
But a privacy campaigner challenged the process after whistleblower Edward Snowden revealed details about US authorities spying on foreign citizens’ data held in the country.
The EU privacy regulators are concerned that a similar challenge could be brought against the proposed Privacy Shield unless its language is toughened up.
Last month, national data protection authorities from across the EU said it still needed significant work, and last week the European Parliament said it too is unsatisfied.
On Monday the European Data Protection Supervisor (EDPS) released a statement rejecting the new EU-US Privacy Shield.
Giovanni Butterelli’s comments are as follows:
“I appreciate the efforts made to develop a solution to replace Safe Harbour but the Privacy Shield as it stands is not robust enough to withstand future legal scrutiny before the Court. Significant improvements are needed should the European Commission wish to adopt an adequacy decision, to respect the essence of key data protection principles with particular regard to necessity, proportionality and redress mechanisms. Moreover, it’s time to develop a longer term solution in the transatlantic dialogue.”
Buttarelli wants the Commission to negotiate improvements to Privacy Shield in three main areas: limiting exemptions to its provisions, improving its redress and oversight mechanisms and integrating all the main EU data protection principles.
Elodie Dowling, VP, EMEA general counsel, BMC Software, said: “With the push to remain competitive, businesses across the globe should be forgiven for asking how they are expected to navigate their way through the patchwork of differing data exchange laws in the post- Safe Harbour landscape. With the latest statement from the European Data Protection Supervisor (EDPS) rejecting the new EU-US Privacy Shield yesterday, businesses across the US will have to innovate and comply to experience ongoing growth and create a culture of trust amongst EU citizens. Moreover, businesses all over the world will have to rethink how they protect and harness data to keep customers, employees and citizens protected in our Fourth Industrial Revolution, where data is becoming the ‘new oil’”.
“In this current state of insecurity, many companies are likely to start adopting the Binding Corporate Rules (BCRs) accreditation. The BCRs represent the most comprehensive global data protection and privacy framework in the world, whilst also being in compliance with the most rigorous EU laws. With this recognition, companies who obtain BCR accreditation are permitted to transfer personal data outside of the EU in a secure manner and in accordance with local laws and regulations”.
“At BMC, we anticipated the end of Safe Harbour early and worked to achieve BCR accreditation ahead of time as both a data controller and data processor. We believe, especially given the latest developments on Privacy Shield, that this will give us significant competitive advantage in the months and even years ahead.”