Europe’s top data-protection cop warned on Monday that a pending transatlantic data-transfer agreement didn’t go far enough in protecting Europeans’ privacy.
The E.U.–U.S. Privacy Shield “is not robust enough to withstand future legal scrutiny before the [European] Court [of Justice],” Giovanni Buttarelli, the European data-protection supervisor, said in a statement, adding that “significant improvements are needed … to respect the essence of key data protection principles.”
In a lengthy opinion on the agreement, Buttarelli emphasized the need to make the U.S. government ombudsperson for E.U. privacy complaints as independent as possible, possibly by letting this official report directly to Congress without any bureaucratic meddling.
Buttarelli also criticized vague language in the deal that would let the U.S. government bypass protections on Europeans’ data in national-security situations. “The purposes for which exceptions are allowed and the requirement of a legal basis should be more precise” in the deal, he argued.
The data-privacy official also took note of a proclamation from the Office of the Director of National Intelligence purporting to limit the bulk collection of Europeans’ data, saying that while it “constitutes a positive development, it remains to be seen” whether other changes to U.S. law might be needed to “help meet [the Privacy Shield’s] requirements.”
U.S. and E.U. negotiators worked frantically to craft Privacy Shield in late 2015 and early 2016 after the European Court of Justice threw out the previous agreement, a 2000 deal dubbed Safe Harbor, because of concerns about U.S. surveillance of tech companies’ data.
The court held that, because American tech firms were subject to intrusive surveillance by the National Security Agency, they could not adequately protect their European customers’ data when they transferred it to their U.S. servers.
A working group of E.U. member-states’ data-protection authorities issued a critical judgment of the new deal on April 30, raising the possibility that the region’s various regulators are not ready to endorse it.
With the European Parliament set to vote on ratifying the Privacy Shield in June, thousands of U.S. companies worry that the agreement will fail, and they will be left without a legal means of transferring Europeans’ data between the two regions.
Data privacy is a fundamental right in the European Union, enshrined in Article 8 of the E.U. charter.