"Great step forward," but still work to do, say privacy experts.
Exceptions in the proposed EU-US Privacy Shield framework that would allow the US to carry out mass surveillance of EU citizens are "not acceptable," the Article 29 Working Party of EU data protection authorities said today in a press conference.
The Chairman of the group, Isabelle Falque-Pierrotin, explained that the Article 29 Working Party would look with "great interest" on the forthcoming ruling by the Court of Justice of the European Union (CJEU) on whether mass surveillance of EU citizens could be legal. If the CJEU finds that the surveillance carried out by GCHQ is unlawful, it would have a big impact on the national security exceptions included in Privacy Shield.
Falque-Pierrotin said that the data protection authorities also had some concerns about the independence and effectiveness of the Privacy Shield ombudsperson who will deal with complaints from Europeans about how their data has been used by the NSA.
However, the Article 29 Working Party called the proposed Privacy Shield in general a "great step forward" compared to the Safe Harbour framework it is designed to replace. But Falque-Pierrotin said "it is rather difficult to understand all the documents and annexes, as they are complex and not consistent." She went on: "we believe it would have been better to have something simpler and less complex."
Falque-Pierrotin pointed out that the imminent arrival of new data protection rules in the EU meant that the Privacy Shield needed some kind of review mechanism to allow it to be updated. Currently, there is no provision to do this.
PRIVACY SHIELD DOOMED FROM GET-GO? NSA BULK SURVEILLANCE WAVED THROUGH
Unlikely to satisfy Europe's data protection watchdogs—nor, for that matter, EU's top court.
The Article 29 Data Protection Working Party, which was set up under the 1995 Directive on the protection of personal data, is purely advisory, and the European Commission is not obliged to follow its advice.
Before making a final decision whether to proceed with the Privacy Shield framework, the Commission will wait to hear from another group set up under the 1995 Directive. The Article 31 Committee consists of representatives of the Member States, and therefore follows their policies, which are broadly in favour of Privacy Shield. The Article 31 Committee is expected to consider the Privacy Shield arrangement at meetings on April 29 and May 19 before issuing its opinion.
The European Commission must then decide whether to try to modify the current Privacy Shield proposal in the light of the Article 29 Working Party's comments, plus any made by the Article 31 Committee. The Commission told Ars that it is hopeful it will be able to give the go-ahead for Privacy Shield in June, which would then come into immediate effect. The European Parliament does not have a vote on this issue, which lies purely within the competence of the Commission.
Until then, the alternative transfer mechanisms, such as standard contractual clauses and binding corporate rules, can still be used for personal data transfers to the US. Falque-Pierrotin said that the Article 29 Working group would not be considering whether these were valid until after the European Commission had produced the final version of Privacy Shield.