Privacy Shield: Latest EU Data Protection Supervisor’s Opinion
This article sets out the short and sweet version of the latest opinion on the Privacy Shield (Safe Harbor II) released by Giovanni Buttarelli, the European Data Protection Supervisor. In his opinion he sets out a number of recommended changes to be made to the new agreement between the EU and the US on data transfers between the two continents. This new agreement is important as it may legitimise the current state of affairs in respect of surveillance in the US.
The supervisor discusses the surveillance “trend” in the US stating that is has moved from indiscriminate surveillance to more targeted and selected approaches. However, there are still serious privacy concerns about the scale and the volume of data that is transferred from the EU to the US.
The amount of EU data under US surveillance is still likely to be very high.
1. Privacy Shield is Vague on Fundamental EU Principles
Buttarelli calls for clarification of particularly the principles of data retention and automated processing. Furthermore, the purpose limitation principle should be better clarified. This means that the purpose of collecting personal data must always be clear in advance and indiscriminate general handling of data is unlawful under EU law. Lastly, the current draft is vague on the requirements for the exceptions of applying the Privacy Shield. In essence, leaving too much scope for non-compliance.
2. The Role of the Ombudsman
The role of the Ombudsman is unclear. It’s unsurprising we see this in the Opinion.
According to the International Ombudsman Institute an Ombudsman offers independent and objective consideration of complaints.
Meaning an Ombudsman is an instrument of democratic accountability and therefore independent of the state. The current Ombudsman expressed her discontent with the use of the term in the Privacy Shield draft agreement in aletter to Commissioner Vĕra Jourová.
The Supervisor follows the Article 29 Working Party and states that the role of the Ombudsperson should be further developed, so that she is able to act independently not only from the intelligence community but also from any other authority. Only this way adequate redress will be available to EU citizens.
3. Oversight System with Various Layers
The Ombudsman is just one link the compliance chain. Buttarelli encourages the European Commission to explore the feasibility of involving EU representatives in the assessment of the results of the oversight system for processing of EU data by the US. Furthermore, representatives should be involved in assessing the notification of certain categories of personal data to be processed by the US.
All in all the opinion is a follow up on the article 29 working party’s opinion. It is still ambiguous, especially as we don’t yet know how the US will respond to the requests from the EU Data Protection authorities.
As the draft currently stands, the Privacy Shield is made of paper. Literally and figuratively. However, it’s crucial for businesses to take note of the formal requirements of the current draft to ensure current transfers between the EU and the US are legitimate. Either in the form of BCRs or EU Standard Contractual clauses.