EU data protection controllers still have concerns about Privacy Shield
The Article 29 Working Party said it would expect stricter guarantees about the role of the ombudsman
Data protection - Image credit: Fotolia
An influential group of EU data controllers has said it is still concerned about the final version of the Privacy Shield data sharing agreement between the European Union and the United States.
It will allow it to run unchallenged for one year though.
In its first statement on the final version of the agreement, the Article 29 Working Party commended the European Commission for taking into consideration the concerns raised by the group in April.
However, it said, “a number of these concerns remain regarding both the commercial aspects and the access by US public authorities to data transferred from the EU”.
Crucially, the working party said that it “would have expected stricter guarantees concerning the independence and the powers of the Ombudsperson mechanism”.
The ombudsman role, which will look into complaints, was created in an attempt to allay fears about the US government’s use of the public’s data.
In addition, the group said that there were no “concrete assurances” that bulk collection of data would not take place, despite the commitment made by the US Office of the Director of National Intelligence not to do this.
The Privacy Shield agreement, which sets out rules for the sharing of data with US companies, is the successor to the ill-fated Safe Harbour arrangement that was scrapped last year.
It was approved by the European Commission on 11 July and came into action a day later.
Concerns around bulk data collection have been raised repeatedly during the negotiations, with the EU's data watchdog, the European Data Protection Supervisor Giovanni Buttarelli, calling for "significant improvements" to the terms in May this year.
He said it was crucial that the agreement provide "adequate protection against indiscriminate surveillance as well as obligations on oversight, transparency, redress and data protection rights”.
In light of these concerns, the Article 29 Working Party group said in its most recent statement that the first joint annual review of the agreement, due in July 2017, would be a “key moment for the robustness and efficiency of the Privacy Shield mechanism”.
It also set out a number of requirement for that review, which are aimed at making sure the process is transparent and effective.
This included that the terms of the review be clearly defined, and that all members of the review team be allowed access to all the information necessary for the review, including elements that allow a “proper evaluation of the necessity and proportionality of the collection and access to data transferred by public authorities”.
It said that, during that review, the national representatives of the working party would assess not only if the remaining issues have been solved but also if the safeguards provided are “workable and effective”.
Meanwhile, there remain questions over whether the UK will have to sign a similar, separate agreement with the US once it exits the EU, following the results of the referendum in June this year.
The revelations around Cambridge Analytica show the need for better monitoring of data protection, say MEPs
The heads of the UK Parliament’s most powerful committees are working together on Russia
Owners of critical infrastructure and providers of services are being urged to be prepared for Russian cyber attacks
The leader of a UK tech trade body has written to Liam Fox to argue that the UK must adhere to EU data protection rules
Vodafone explores some of the ways IoT is significantly improving public sector service delivery
BT's Amy Lemberger argues that having the right security in place to protect your organisation is no longer just an option. It is a necessity.