The new data-transfer proposal between the European Commission and U.S. government is better than Safe Harbor, but is still not enough to adequately protect the privacy of European citizens. That was the main takeaway from Wednesday’s highly anticipated press conference on the Article 29 Working Party’s opinion of the proposed Privacy Shield arrangement. Though the group believes more tweaks are necessary in the agreement, the deal is not yet dead, and alternative mechanisms – such as standard contractual clauses and binding corporate rules – are still legitimate for the time being.

WP29 Chairwoman Isabelle Falque-Pierrotin said the Shield proposal was a “major improvement compared to the Safe Harbor” framework, but the group of data protection authorities believes there is still work to do. “We urge the European Commission to resolve these concerns.” She also said the collection of documents and annexes provided by the U.S. government were “rather complex” and “not always consistent,” making it difficult “to understand the whole.”  

The WP29 focused on two separate sets of concerns, one deals with the commercial aspects while the other focuses on the public security issues. In addition to unveiling its opinion, the group has also released a document on the essential guarantees needed in a mechanism.

On the commercial side, Falque-Pierrotin pointed out several issues that needed clarification. For one, the application of purpose limitation “is unclear and seems to open the way for reuse of data for very large purposes and transfers,” she said. Data retention is not “expressly mentioned in the documents and cannot be construed,” she added. There has been progress in including the onward transfer mechanism, she noted, but “the result is not satisfactory.”

But that wasn’t all. Falque-Pierrotin also said there are too many avenues for individual recourse, and the array of recourse avenues are too difficult for end users to navigate, something lawyer and privacy activist Max Schrems pointed out last month during a parliamentary debate on Shield. “We believe the DPAs should be the natural point of contact,” she said.

Perhaps, most importantly, she said, the deal needs to have a clause that takes the General Data Protection Regulation into account. On Wednesday, the European Parliament is expected to finalize the GDPR, paving the way for implementation.

“The Shield is built under the Directive,” Falque-Pierrotin said, “But within two years, we’ll have a new framework.”

Unsurprisingly, the WP29 still has concerns with the public security portion of the Shield, concerns that ultimately led to the nullification of Safe Harbor. But looking through a lens that considered European jurisprudence from both the European Court of Justice and the European Court of Human Rights, the WP29 based its assessment on a set of standards - which are discussed in the essential guarantees document - not only for U.S. surveillance, but for EU member states as well.

The two main hang ups for the DPAs, also unsurprisingly, are based on the six exceptions for bulk surveillance and the independence of the proposed ombudsperson. Falque-Pierrotin conceded that inclusion of the surveillance component in Shield is a good step forward, but she said there’s too much possibility for massive, indiscriminate surveillance under the arrangement. She said WP29 will look “with great interest” toward an upcoming ECJ judgment on passenger name records.

Paul Breitbarth, of the Dutch DPA, said the six exceptions for bulk surveillance were troubling. “We understand these apply to use, and not collection of data,” he said. “They are broadly defined … for us, this is still indiscriminate and bulk surveillance.” He admitted that it’s a difficult balance to reach between individual privacy and national security, but said, “We think intelligence services in the EU and outside the EU should make a better effort to comply with the fundamental human rights and should limit data collection as much as possible.”

On the proposed ombudsperson, Falque-Pierrontin said the group believes “it’s a great innovation, but we still do not have enough guarantees” on the independence and level of power the position will have within the U.S. government.

The regulatory body has been in consultation with the U.S. government as late as last week and expressed its concerns to their counterparts. Falque-Pierrotin said during a visit with U.S. government officials last week in Washington, DC, clarifications to their questions were provided, but these were only informal and not in writing. Thus, she said, “we cannot consider them having an integral part in the adequacy decision.”

Notably, Falque-Pierrotin several times said that BCRs and SCCs are still valid transfer mechanisms until the Commission finalizes Privacy Shield. She also admitted this means a time for legal uncertainty. “Until we have a final decision from the Commission, we are in a situation of legal uncertainty,” she said.

In his reaction to today's announcement, Max Schrems said today's WP29 "statement is very strong," and that "one can only imagine what some individual authorities think of the Privacy Shield proposal." 

In comments provided to Privacy Tracker, Hogan Lovells Partner Eduardo Ustaran, CIPP/E, said, "The Working Party seems to see the Privacy Shield half empty, which will prolong the current uncertainty, but the Commission has put too much effort into this, and I'm sure it will press on." In a separate press release, Ustaran said, "companies should bear in mind when deciding which mechanism to deploy to ensure that their data is protected no matter where it is in the world." 

Schrems also thinks the Commission will press on and change some of the Shield's wording, but added, "Given the negative opinion, a challenge to the Privacy Shield at the Courts is even more promising. Privacy Shield is a total failure that is kept alive because of extensive pressure by the U.S. government and some sectors of industry." 

Indeed, the Commission's intent to press on with Shield was apparent in several communications Wednesday. On the same day as the WP29 press conference, the European Parliament held a plenary debate on finalizing the GDPR. During the debate, EU Justice Commissioner Vera Jourova – who has played an integral role in the Privacy Shield negotiations – said the Commission “will study the opinion and address concerns in the final decision.”

European Commission Spokesperson Christian Wigand said it plans for adoption in June.

European Data Protection Authorities welcome 'significant improvements' by #PrivacyShield - we aim for adoption in June @VeraJourova

— Christian Wigand (@ChristianWigand) April 13, 2016

As does European Commission Vice-President for the Digital Single Market Andrus Ansip.

Following #WP29 opinion today, I will continue to work for EU-US #PrivacyShield in place by summer. Important for our citizens & business.

— Andrus Ansip (@Ansip_EU) April 13, 2016

Though the WP29’s opinion is non-binding, it is influential. The member states, under Article 31, will next vote on Shield, which is binding, and then the Commission will work to finalize the agreement in June.