It’s a step in the right direction, but not good enough. That’s the verdict on the so-called Privacy Shield from the Article 29 Working Party, representing Europe’s national data protection authorities.
As expected this morning, the supposed replacement for Safe Harbor doesn’t go far enough in ensuring that US authorities can do bulk data collection and is too complicated.
Working Party Chair Isabelle Falque-Pterrotin says of the Privacy Shield framework:
It is rather difficult to understand all the documents and annexes, as they are complex and not consistent…we believe it would have been better to have something simpler and less complex.
She also questions the nature of the independent Ombudsman role that is to be created:
We believe that we don’t have enough security guarantees in the status of the ombudsperson … in order to be sure that this is really an independent authority.
There are also too many informal understandings in play:
We cannot consider them as forming an integral part of the adequacy decision since they haven’t been yet put into writing.
The European Commission will now wait to hear from the Article 31 Working Party, made up of representatives of the Member States and which is believed to be broadly in favor of Privacy Shield. It may use that support to bounce through the Privacy Shield. No vote is required in the European Parliament.
Meanwhile the Article 29 Working Party will be considering the validity of Safe Harbor fixes, such as the use of model clauses.
As for what will happen if the Commission presses ahead with its June deadline on Privacy Shield without further amendments, Falque-Pterrotin nodded to the European Court of Justice, saying that an appeal there:
is always an option.
I’m with Max Schrems, whose court case brought about the slaying of Safe Harbor, when he suggests:
I personally doubt that the European Commission will change its plans much. There will be some political wording, but I think they will still push it through.
In other words, see you in court.