EDPS: Privacy Shield is not good enough

The European Data Protection Supervisor (EDPS) has issued an Opinion in which he says that the proposed EU-US Privacy Shield is not robust enough.

Giovanni Buttarelli, EDPS, said: "I appreciate the efforts made to develop a solution to replace Safe Harbour but the Privacy Shield as it stands is not robust enough to withstand future legal scrutiny before the Court [of Justice of the European Union]. Significant improvements are needed should the European Commission wish to adopt an adequacy decision, to respect the essence of key data protection principles with particular regard to necessity, proportionality and redress mechanisms. Moreover, it’s time to develop a longer term solution in the transatlantic dialogue."

Recognising that organisations should not be expected to constantly change compliance models, the EDPS proposes some improvement to Privacy Shield. These include integrating all main data protection principles, limiting derogations and improving redress and oversight mechanisms.

It is expected that the Article 31 Group, consisting of EU Member States representatives, will form its view this summer. A positive decision would enable the EU Commission to adopt the adequacy decision for the Privacy Shield.

In the meantime, Hamburg’s (Germany) Data Protection Commissioner, Dr Johannes Caspar, has fined three companies that have been relying on Safe Harbor. According to Der Spiegel online, the three companies concerned are Adobe (fined 8,000 Euros), Punica (fined 9,000 Euros) and Unilever (fined 11,000 Euros). The maximum level of fines is 300,000 Euros, but all three companies have found a different legal basis for their international data transfers.