Today, the European Data Protection Supervisor (EDPS) delivered a crushing blow to the proposed Privacy Shield, sending U.S. and European negotiators back to the drawing board.
Readers of this blog know about the collapse of the EU/US data privacy Safe Harbor framework (which had been in place since 2000) and the efforts to negotiate a trans-Atlantic resolution (see my prior posts here, here and here). The EU/US Safe Harbor was struck down by the EU Court of Justice last year, and officials have been scrambling to replace it. This spring, the U.S. Department of Commerce released a proposal (the "Privacy Shield") designed to satisfy European officials that U.S. organizations could be trusted with information about Europeans. I have already described that proposal in relative detail, here.
The European Data Protection Supervisor (EDPS), appointed in 2014, is an independent institution of the EU, responsible European law "for ensuring that the fundamental rights and freedoms of natural persons, and in particular their right to privacy, are respected." Under Article 28(2) of Regulation 45/2001, the European Commission is required, "when adopting a legislative Proposal relating to the protection of individuals' rights and freedoms with regard to the processing of personal data", to consult the EDPS. Since the submission of the proposed Privacy Shield to the EDPS, officials on both sides of the Atlantic have been holding their respective breaths in anticipation of this Opinion.
Earlier today, EDPS Giovanni Buttarelli declared that the Privacy Shield was "not robust enough." Although "a step in the right direction" it was deemed inadequate. Specific criticisms involve safeguards, judicial redress, and routine access by U.S. governments. In Opinion 4/2016, titled "Opinion on the EU-U.S. Privacy Shield draft adequacy decision", the EDPS outlined three main recommendations (integrating data protection principles, limiting exceptions, which are referred to in EU law as "derogations", and improving redress and oversight mechanisms) as well as five secondary recommendations. You can read the full text of the EDPS Opinion for yourself here.
The sense of urgency is real. The General Data Protection Regulation (technically regulation EU 2016/679, but known simply as the "GDPR") becomes effective in May 2018, and the Privacy Shield was intended to take effect before the GDPR in order to satisfy its requirements in addition to the existing EU legal framework.
Stay tuned, as there is certainly much more to come.