The US is under increasing pressure over Privacy Shield as an EU lawyers' association backed MEPs’ calls for a suspension of the deal.
Privacy Shield – which governs trans-Atlantic data flows, making it essential for the day-to-day workings of large numbers of companies – was hurriedly drawn up in summer 2016 after its predecessor, Safe Harbor, collapsed.
At the time the deal was signed, there were a number of misgivings from data protection watchdogs and observers – but the implication was that they would be ironed out once it was in place. That they still haven't is a source of increasing frustration for MEPs, privacy watchdogs and activists.
Now, the Council of Bars and Law Societies of Europe (CCBE) – which represents 32 member countries and 13 associate and observer countries – has repeated its concerns over the deal's suitability and called for an immediate suspension.
"The CCBE calls on the Commission to suspend the Privacy Shield and to offer its reimplementation on the condition that the necessary guarantees and safeguards, which are currently lacking, have been implemented," it said.
The intervention comes as a group of MEPs, who called for a ban on the deal if the issues aren't addressed by September, travels to Washington to discuss data privacy.
Relations between the US and the European Union are already strained over issues such as NATO and Russia, and the prospect of another data transfer deal collapsing heaps pressure on both sides as businesses are reliant on being able to send data across the Pond.
Schrems' Facebook case edges closer to ruling over EU-US data flowsREAD MORE
This is partly because other methods, such as the Standard Contractual Clauses that firms fell back on in the aftermath of the Safe Harbor ruling, are also under pressure as they await a ruling from the Court of Justice of the European Union in Max Schrems' long-running case against Facebook.
Time to take action
When Privacy Shield was agreed, one of the terms was an annual review. The first such report said there was still much to do, including work to meet specific requirements for oversight, as well as broader questions on the Trump administration’s attitudes to privacy and security.
In spite of this, the European Commission said Privacy Shield offered an "adequate" level of protection for personal data transferred from the EU to the US – a position that disappointed many observers and drew criticism from EU watchdogs.
With the problems looking no closer to being fixed, the European Parliament voted in favour of a resolution this month calling for the deal to be suspended if it isn't up to scratch by 1 September – a resolution the CCBE today backed.
CCBE conclusions about the Privacy Shield have been reflected in the @Europarl_EN’s Resolution in paragraphs 7, 20, 24, 26, 33 and 35. The Privacy Shield must be suspended until the necessary guarantees and safeguards, which are currently lacking, have been implemented. pic.twitter.com/b8tvOm9Qum— CCBE (@CCBEinfo) July 16, 2018
The CCBE pointed to a number of specific problems it sees with the new deal and with the annual review, saying that "none of these crucial issues are sufficiently addressed in the report". In a document issued alongside the statement, the CCBE listed its concerns over a lack of legal remedies, binding control and oversight.
For instance, it said that the Privacy and Civil Liberties Oversight Board "does not have any effective powers and is thus a toothless tiger that cannot protect European citizens from arbitrary interferences".
The group argued that this external board isn't a judicial body, while the internal oversight body isn’t properly independent from the executive – which means the basics of the deal are deficient.
The CCBE also took issue with the "limited competence" of the ombudsman, saying that this post can only request further action by a US government body or request information.
"It cannot order the authorities to cease and discontinue unlawful surveillance, or order the permanent destruction of information obtained through direct and indirect surveillance," the CCBE said.
In addition, the group questioned whether people who have been subject to unlawful surveillance would able to launch a challenge against it, saying that the "legal situation is everything but clear and it remains an open question whether effective legal remedies exist".
Moreover, it warned these targets might not even be told of any surveillance measures used against them – something that is required under EU law once the measures have been ended, which would allow them to sue for damages.
The CCBE's intervention comes as MEPs on the EU's civil liberties and justice committee (LIBE) begin a four-day trip to Washington to discuss Privacy Shield, along with other data protection issues, with the US government.
The group of nine will meet representatives from the US Departments of State, Justice, Homeland Security and Commerce, as well as the Federal Trade Commission, politicians from the US Congress and Senate, along with industry and NGOs.
Other issues on the table are the Facebook data harvesting scandal, counter-terrorism and cyber security. ®