The EU’s consumer protection group has rejected in its current form the new rules written to govern EU-US data transfers.
Despite the new regs receiving early support from Microsoft, the Article 29 Data Protection Working Party has fallen on the side of Snowden in criticizing the US government and European Commission’s replacement for Safe Harbor.
Although the set of documents has “some improvements compared to Safe Harbor,” the group said in a meeting to discuss the proposal that it could still allow for “massive and indiscriminate” collection of EU citizens’ data by the US.
It also raised concerns about the new US-based independent ombudsperson role and whether it’ll really be able to protect EU citizens.
The chair Isabelle Falque-Pierrotin said that although having such a person would be a:
great innovation… still we believe that we don’t have enough security guarantees in the status of the ombudsperson and the effective powers in order to be sure that this is really an independent authority.
The range of potential routes for redress should your data be unlawfully accessed, Falque-Pierrotin said, is also “difficult for the end user.”
The Privacy Shield documents were called “complex to understand” and “unclear” in places, so the group has asked for written clarification on or revision of the new rules.
Privacy Shield has also not taken into account new, and more stringent, EU-wide data protection rules that will come force in spring 2018.
The Commission is not bound by the opinion of Article 29 but, as its sole purpose since 1995 has been the “protection of individuals with regard to the processing of personal data and on the free movement of such data,” it’d be worrying if its warning is not heard.
Article 29 can, however, stop data transfers that it’s concerned about.