US Businesses Face Continued Uncertainty Over Privacy Shield
U.S. business leaders have voiced criticism of an opinion by the Article 29 Working Party, a European group of privacy experts comprised of data-protection commissioners from European countries. The WP29 expressed continued concerns about the E.U.-U.S. Privacy Shield, the latest proposed agreement to allow data to be transferred between the European Union and the United States. Such continued concerns among European privacy leaders leave U.S. businesses with no clear path forward in their efforts to address protection of personal data of E.U. citizens in data transferred or stored by U.S companies.
U.S. businesses had welcomed Privacy Shield as a means to bring clarity to the legal status of data transfers. However, while the WP29 viewed the new Privacy Shield agreement between the United States and Europe as an improvement on the former Safe Harbor agreement between the nations, it nonetheless viewed Privacy Shield as falling short of necessary privacy protections. The WP29 expressed "strong concerns" about the protection of E.U. citizens' data, non-applicability of the agreement to third-party nations, and the Privacy Shield’s complex redress process.
Previously, the so-called Safe Harbor agreement regulated how U.S. companies could handle European citizens' data and allowed U.S. companies to state their agreement to follow the rules of the E.U. with respect to data, and further provided that the Federal Trade Commission would punish any violations. In October of 2015, however, Europe’s highest court, the Court of Justice of the European Union, annulled the agreement. Since then, U.S. businesses have been operating in a legal limbo. To address this unsettled area, the U.S. and E.U. negotiated the Privacy Shield.
The Privacy Shield agreement requires greater transparency by companies about how they use data, requires the U.S. government to confirm that it is not engaging in mass surveillance, and allows annual review.
The WP29 has expressed concerns that the agreement is both overly complex and lacks adequate assurances from the U.S. government. To the latter point, the privacy Working Party explained:
"The representations of the U.S. Office of the Director of National Intelligence (ODNI) do not provide sufficient details in order to exclude massive and indiscriminate collection of personal data originating from the EU. … WP29 recalls its longstanding position that massive and indiscriminate surveillance of individuals can never be considered as proportionate and strictly necessary in a democratic society, as is required under the protection offered by the applicable fundamental rights."
This latest expression of disapproval from European privacy leaders is not binding. However, the opinions of the WP29 carry considerable weight in Europe, and the reservations expressed by the group suggest that European and U.S. authorities will have to renegotiate parts of the Privacy Shield agreement. For the time being, the existing climate of regulatory uncertainty will continue for U.S. companies engaged in transmission or storage of personal data of E.U. citizens.