European privacy regulators said on Wednesday a new commercial data transfer pact between the European Union and the United States needed to provide more reassurance over US surveillance practices and the independence of a new US privacy ombudsman.
The EU-US Privacy Shield, agreed in February after two years of talks, is designed to help firms on both sides of the Atlantic to move Europeans’ data to the United States without falling foul of strict EU data transfer rules.
It will replace Safe Harbour, struck down last year by the top EU court following a challenge spurred by revelations of mass US government surveillance programmes.
European data protection authorities on Wednesday urged the European Commission – which negotiated the framework – to address their concerns in order for them to be able to establish that data transferred to the United States is afforded the same standard of protection as in Europe.
Isabelle Falque-Pierrotin, chair of the group of 28 data protection authorities, said
She also said the regulators had doubts about the effective powers and independence of the US ombudsman who will deal with EU complaints about US surveillance practices.
“We don’t have enough security guarantees in the status of the ombudsperson,” Falque-Pierrotin said.
While non-binding, the opinion from the regulators is important because they enforce data protection law across the EU and can suspend specific data transfers.
However, companies can still transfer data to the United States using contracts establishing privacy protections between groups, so-called standard contractual clauses and binding corporate rules.
EU data protection law bars companies from transferring personal data to countries deemed to have insufficient privacy safeguards, of which the United States is one, unless they set up such contracts or use a framework like the Privacy Shield.
Cross-border data transfers are used in many industries for sharing employee information, and consumer data is shared to complete credit card, travel or e-commerce transactions, or to target advertising based on customer preferences.
Falque-Pierrotin welcomed improvements in the Privacy Shield compared with Safe Harbour, such as a clearer explanation of EU citizens’ rights and means for redress.
The data protection authorities urged the European Commission to review the Shield in two years when a stricter European data protection law comes into force.
Member state representatives have to approve the framework before it is formally adopted, something the Commission hopes to do by June.
© Thomson Reuters 2016
Download the Gadgets 360 app for Android and iOS to stay up to date with the latest tech news, product reviews, and exclusive deals on the popular mobiles.