News: Regulators express concern that the decision does not provide equivalent protection to within the EU.
A document leaked online regarding the ongoing Privacy Shield data protection negotiations between the US and the EU, suggests that European authorities might not back the decision.
A document posted on the website of the State Commissioner for Data Protection of Baden-Württemberg indicates that the Article 29 Data Protection Working Party (WP29) may not approve the European Commission’s proposed decisions on the transfer of data to the US.
Appearing to be from a draft document, the text posted on the website of Dr. Carlo Piltz, a lawyer and privacy expert, said that "the WP29 is not yet in a position to confirm that the current draft adequacy decision does, indeed, ensure a level of protection that is essentially equivalent to that in the EU."
The WP29 is composed of national representatives from EU countries and representatives from EU institutions. Its decision is not binding, meaning that the European Commission may simply go ahead with the decision anyway.
Plitz wrote in a blog that for this reason, the DPAs include in their mandate for the German representatives the demand that if this happens, the WP29 will support test cases and legal actions against the decision in order to get a hearing in the European Court of Justice.
This new agreement governing the transfer of data across the Atlantic will replace ‘Safe Harbor’. Last year, the European Court of Justice ruled that this was invalid, forcing the commission to start negotiations with the US on a renewed and safe framework on transfer of personal data.
It is required to meet the requirements identified in the court ruling, with respect to limitations and safeguards on access to personal data by the US public authorities.
The decision is of paramount importance to US companies which hold data from European customers, such as cloud providers.
"First and foremost, customers want certainty," said Mark Crosbie, Head of International Trust and Security at Dropbox, speaking to CBR about the Privacy Shield negotiations at the end of March.
"They want to know if they’re doing business with an American company whether they’re on a sound footing with compliance."
Crosbie said: "There are various steps that companies can take, including model contract clauses, where we can provide either legal instruments or technical solutions to people who are concerned about what it means as a European company to use US cloud services.
"You’re going to see more and more attention paid to this by cloud providers; they can’t dismiss it as a European issue any more. This is a global issue and the changes that you need to make in your product are going to be driven by changes on both sides of the Atlantic that will have global ripple effects."