The influential group of European Union data controllers has said it is still concerned about the final version of the Privacy Shield agreement between the EU and US, but will allow it to run unchallenged for one year.
Agreement eases data transfer between EU and US but concerns remain about security – Photo credit: Fotolia
The agreement – which sets out rules for the sharing of data with US companies – is the successor to the ill-fated Safe Harbour agreement that was scrapped last year.
It was approved by the European Commission on 11 July and came into action a day later.
In its first statement on the final version of the agreement, the Article 29 Working Party commended the European Commission for taking into consideration the concerns that the group set out in April.
However, it said, “a number of these concerns remain regarding both the commercial aspects and the access by US public authorities to data transferred from the EU”.
Crucially, the working party said that it “would have expected stricter guarantees concerning the independence and the powers of the Ombudsperson mechanism”. This role – which will look into complaints – was created in an attempt to allay fears about the US government’s use of the public’s data.
In addition, the working party said that there were no “concrete assurances” that bulk collection of data would not take place, despite the commitment made by the US Office of the Director of National Intelligence not to do this.
Concerns around bulk data collection have been raised repeatedly during the negotiations, with the EU’s data watchdog, the European Data Protection Supervisor Giovanni Buttarelli, calling for “significant improvements” to the terms in May this year.
He said it was crucial that the agreement provide “adequate protection against indiscriminate surveillance as well as obligations on oversight, transparency, redress and data protection rights”.
In light of these concerns, the Article 29 Working Party group said in its most recent statement that the first joint annual review of the agreement – due in July 2017 – would be a “key moment for the robustness and efficiency of the Privacy Shield mechanism”.
It also set out a number of requirement for that review, which are aimed at making sure the process is transparent and effective.
This included that the terms of the review be clearly defined, and that all members of the review team be allowed access to all the information necessary for the review, including elements that allow a “proper evaluation of the necessity and proportionality of the collection and access to data transferred by public authorities”.
It said that, during that review, the national representatives of the working party would assess not only if the remaining issues have been solved but also if the safeguards provided are “workable and effective”.
Meanwhile, there remain questions over whether the UK will have to sign a similar, separate agreement with the US once it exits the EU, following the results of the referendum in June this year.