European data protection supervisor says Privacy Shield not robust enough

Several EU flags hoisted outside a building

The European data protection supervisor has published a report, saying Privacy Shield is not robust enough to withstand sharing of data across the world.

Giovanni Buttarelli said a number of changes need to be made in order for data to be shared reliably between countries without it putting that data or others' privacy at risk.

He said any solution used to replace Safe Harbour must provide "adequate" protection against surveillance by authorities and should be transparent, allowing

Any new legislation should also take into account data protection rights already considered by both governments and private companies in Europe. This is particularly important as the new General Data Protection Regulation (GDPR) is set to come into force in May 2018.

The European Commission needs to ensure that anything introduced to replace Safe Harbour adheres to guidelines set out in the new European legislation so there is no confusion between parties sharing data.

"I appreciate the efforts made to develop a solution to replace Safe Harbour but the Privacy Shield as it stands is not robust enough to withstand future legal scrutiny before the Court," Buttarelli said in a statement.

"Significant improvements are needed should the European Commission wish to adopt an adequacy decision, to respect the essence of key data protection principles with particular regard to necessity, proportionality and redress mechanisms. Moreover, it's time to develop a longer term solution in the transatlantic dialogue."

13/04/2016: Europe data watchdogs find flaws in Privacy Shield

Europe's data protection authorities have called for urgent amendments to Privacy Shield, the proposed agreement to safeguard EU data transferred to the US.

The watchdogs, who form the Article 29 Working Party, do not believe the legislation is up to scratch, identifying several changes they believe need to be made.

The group is still concerned about US agencies undertaking mass surveillance on European citizens' data, after Privacy Shield's predecessor, Safe Harbour, being scrapped because it was not deemed to protect personal data adequately.

Privacy Shield would rely on assurances from the US government that it would not spy indiscriminately on EU data, but the Article 29 Working Party does not think these are enough.

It also called into question the impartiality of Privacy Shield's proposed ombudsperson, a US position that would be responsible for tackling EU citizens' complaints about misuse of their data.

The group's chairwoman, Isabelle Falque-Pierrotin, said (via the BBC): "We believe that we don't have enough security [or] guarantees in the status of the ombudsperson and in their effective powers to be sure that this is really an independent authority."

However, it called the document a "great step forward" compared to Safe Harbour, reported Ars Technica.

While the Working Party's conclusion does not mean the European Commission cannot approve Privacy Shield, its findings could become the basis of future legal challenges if the Commission decides not to address them.

It comes after both Microsoft and Box endorsed Privacy Shield, though Box admitted it does not plan to rely on it, exploring alternatives like binding corporate rules as ways to transfer EU data outside of the US securely.

The watchdogs' conclusions should be published online later today.