Today, the European Data Protection Authorities (DPAs) sent the so-called EU-US Privacy Shield back to the drawing board. Following a thorough assessment of the proposed new framework, the DPAs have come to the conclusion that, despite providing some improvements over the previous ‘Safe Harbour’ agreement, the proposed Privacy Shield as it stands raises substantial concerns and therefore does not guarantee an adequate level of protection for consumers’ privacy.

The concerns raised by the DPAs affect both the commercial and the national security aspects of the agreement and had already been highlighted by many privacy advocates and NGOs on both sides of the Atlantic, including TACD in its most recent policy position. These include:

On the commercial side:

– Inadequate reflection of key EU data protection principles that effectively allow for the reuse of data for very large purposes, with no time limits and broad exceptions to process data without consumers’ consent;

– Weak obligations in terms of onward transfers of data to third countries;

– Extremely complex redress mechanism that undermines consumers’ right to seek redress and legal remedies.

 On the national security side:

– Unacceptable possibility to continue carrying out indiscriminate mass surveillance;

– Lack of independence and effective powers of the proposed ombudsperson.

Consumers on both sides of the Atlantic are pleased to see that European Data Protection Authorities have raised their voice and expect that it will be appropriately heard by the EU and US negotiators.

Finn Myrstad – EU Co-Chair of the TACD Information Society Committee said:

“We hope that the European Commission will take the opinion of the Data Protection Authorities very seriously. It is clear that the Privacy Shield does not adequately protect EU consumers’ fundamental rights. The Commission must reconsider its adoption. The EU cannot afford to set a precedent like this and allow fundamental rights and values to be hijacked by political and commercial interests.”

Jeff Chester – US Co-Chair of the TACD Information Society Committee said:

“The Article 29 Working Party recognized the “digital data Wild West” in the U.S., where the lack of overall data protection regulations means that nearly everything a consumer does online is collected and used without meaningful consent. The absence of U.S. privacy rules has placed its FTC in a legal straitjacket unable to stem at all the tsunami of pervasive use of data profiling. “

In addition to its opinion on the EU-US Privacy Shield proposal, the Article 29 Working Party also adopted a document laying out a series of “essential legal guarantees” that need to be provided in relation to state surveillance for national security purposes, in order to ensure the respect of the fundamental rights of EU citizens.