The United States may have to renegotiate an agreement that allows data on European customers to be stored outside Europe.
U.S. business associations criticized an opinion by a European group of privacy experts that expressed concerns about the E.U.-U.S. Privacy Shield, the latest proposed agreement to allow data to be transferred between the European Union and the United States.
The Article 29 Working Party, a committee of data-protection commissioners from European countries, concluded that
although the new Privacy Shield agreement between the United States and Europe improves upon an older agreement known as Safe Harbor, it continues to fall short of the necessary privacy protections needed to hold commercial and government entities in check. The Working Party had "strong concerns" in the adequacy of the draft to protect citizens' data, the lack of applicability of the agreement to third-party nations and the complexity of the redress process.
U.S. industry organizations, however, were wary of any delay in the process that could bring clarity to the legal status of data transfers.
"We support the efforts to rebuild some kind of certainty to allow the transfer of data between the two markets," Thomas Boue, director general of policy for the Business Software Alliance's Europe, Middle East and Africa division, told eWEEK
. "Certainty in the market is very important, so that companies know what they can and cannot do."
In October 2015, the Court of Justice of the European Union declared invalid
the agreement that regulated how U.S. companies could handle European citizens' data. Known as Safe Harbor, the treaty essentially allowed U.S. companies to declare that they would follow the rules of the European Union with respect to data, and that a U.S. government agency—the Federal Trade Commission—would investigate and punish any violations.
With the annulment by Europe's highest court
, U.S. businesses have been operating in a legal gray area for months. Privacy commissioners have pledged to give negotiators time to come up with a new agreement. In February, the European Commission unveiled a new agreement, the E.U.-U.S. Privacy Shield
. The Privacy Shield agreement requires companies
to be more transparent about how they use data, requires the U.S. government to affirm that it is not using mass surveillance and allows yearly review.
The Article 29 Working Party, however, argued that the agreement is overly complex and does not require enough assurances from the U.S. government.
"The representations of the U.S. Office of the Director of National Intelligence (ODNI) do not provide sufficient details in order to exclude massive and indiscriminate collection of personal data originating from the EU," the Working Party said in a statement
. "The WP29 recalls its longstanding position that massive and indiscriminate surveillance of individuals can never be considered as proportionate and strictly necessary in a democratic society, as is required under the protection offered by the applicable fundamental rights."
The opinion will likely mean that European and U.S. authorities will have to renegotiate, clarify and strengthen parts of the Privacy Shield agreement, according to analysts at global technology research firm Ovum. The opinion is not binding, but because the group represents the consensus of the privacy commissioners of the EU member states, their criticism carries a great deal of weight.
"Since the [European Commission] announced the key points of its deal with the U.S. authorities, concerns have emerged about certain aspects, such as the many exceptions under which the bulk use of personal data could still be possible for U.S. authorities," Luca Schiavoni, senior analyst for Ovum's regulatory group, said in a statement. "There are also concerns that the powers and independence of the ombudsperson, which should ensure that EU citizens have the ability to seek redress in cases of privacy breaches, are not clearly defined and guaranteed."
Several industry associations criticized the Article 29 Working Party's opinion because they believe it would lead to a delay.
"A prolonged climate of regulatory uncertainty places unnecessary strain on the digital economy, hurting businesses, workers and consumers," Information Technology & Innovation Foundation Vice President Daniel Castro said in a statement. "Moreover, there will be many opportunities to build on the initial Privacy Shield Framework, as all parties involved have already agreed to meet at least annually to [discuss] how to further improve the functioning, implementation, supervision and enforcement of the framework."