EDPS rules EU-US Privacy Shield inadequate
EDPS rules EU-US Privacy Shield inadequate
Giovanni Buttarelli, European Data Protection Supervisor
Giovanni Buttarelli, European Data Protection Supervisor

The European Data Protection Supervisor (EDPS) has published his opinion on the proposed EU-US Privacy Shield and it’s not good. In a press release Giovanni Buttarelli, EDPS said: “I appreciate the efforts made to develop a solution to replace Safe Harbour but the Privacy Shield as it stands is not robust enough to withstand future legal scrutiny before the Court.

“Significant improvements are needed should the European Commission wish to adopt an adequacy decision, to respect the essence of key data protection principles with particular regard to necessity, proportionality and redress mechanisms. Moreover, it’s time to develop a longer term solution in the transatlantic dialogue.”

What is the EU-US Privacy Shield?

The EU-US Privacy Shield was put in place earlier this year after the European Court of Justice struck down the Safe Harbor agreement which had governed data transfers of personal data between the EU and the US. In April the Article 29 Data Protection Working Party (WP29) highlighted its concerns over the Privacy Shield.

Among the points it raised in a 58 page opinion was a serious concern that there was inadequate protection from US authorities when it came to massive and indiscriminate bulk collection of data on EU citizens. This concern was aimed at the US government who wanted to allow its security services unfettered access to data on EU citizens under the guise of national security.

Buttarelli has made it clear that for the Privacy Shield to be effective and sustain any challenge in the European Court of Justice it must: “provide adequate protection against indiscriminate surveillance as well as obligations on oversight, transparency, redress and data protection rights.” This statement seems to be in line with the WP29 concerns and demonstrates that attempts to dismiss those concerns were flawed.

Interestingly, in the press release it states: “The EDPS highlights how he sees essential equivalence working in practice in the context of self-regulation by private organisations where data in transit or transferred to the U.S. may routinely be assessed by law enforcement and intelligence bodies.” While not openly calling out the ongoing Microsoft vs US court case over the issuance of a subpoena for data in an Irish data centre, this statement goes to the heart of that statement. It also addresses what many in Europe see as US overreach when it comes to extraterritoriality.

Privacy a major concern for data movement

This is not the only problem on the horizon for EU data watchdogs. They are currently putting to bed the General Data Protection Regulation (GDPR) which will impact companies within two years. However leaks around the Transatlantic Trade and Investment Partnership (TTIP) talks show that the US wants exemptions for US companies from many of the legal consequences of failing to protect EU citizens data.

Last week the Irish Data Protection Registrar last week referred the use of model contract clauses to move data from the EU to the US, to the ECJ as it felt they did not adequately protect EU citizens. These clauses were widely adopted by large US companies after the cancelation of the Safe Harbor agreement and before the Privacy Shield was announced. If the ECJ were to strike these down before the Privacy Shield is fixed then it could paralyse legal data transfers between the two continents and bring many businesses and services to a halt.

The chances of that happening, however, are remote. The ECJ would be unlikely to order an immediate cessation of all data transfers in favour of allowing the European Commission to resolve its problems with the Privacy Shield.


This latest setback for the Privacy Shield and the move by the Irish DPA will worry an awful lot of technology companies. The whole cost premise of cloud computing is lowering cost based on hyperscale deployment of technology. Data sovereignty is already forcing them to move away from data centre consolidation and instead open smaller in-country data centres which increases their costs.

Buttarelli is unconcerned by the impact of his ruling on commercial companies, the future of cloud computing and the wholesale surveillance of individuals under the guise of national security. In his final statement he urges legislators not to rush in to a flawed solution but to take time to find an adequate long-term solution saying:

“International companies supplying goods and services in the EU should be absolutely clear about all the rules they must comply with. In the EU we do not discriminate on the basis of nationality. Key data protection principles must be covered in the Privacy Shield for it to offer essential equivalence between EU-U.S. law.”


Please enter your comment!
Please enter your name here