Leaked extracts from an imminent assessment of the EU-US Privacy Shield replacement for Safe Harbour suggests that a key group of EU data protection authorities will not support it in its present form.
It is expected that the Article 29 Working Party will say that it is "not yet in a position to confirm that the current draft adequacy decision does, indeed, ensure a level of protection [in the US] that is essentially equivalent to that in the EU." Any transatlantic data transfer scheme that does not provide an "essentially equivalent" level of protection is unlikely to withstand a legal challenge in the EU courts.
The leaked extracts, which have been seen by Ars, were found in an online PDF of the mandate for the German members of the Article 29 Working Party, which is expected to publish its official position of the Privacy Shield scheme soon. The extracts were first pointed out on the blog of the lawyer and privacy expert Dr. Carlo Piltz, who wrote: "These excerpts show that the European Data Protection Authorities are not able to okay the draft adequacy decision by the European Commission." At the time of publishing, it appears the mandate file has been deleted or removed from the Web.
In February, the Article 29 group outline outlined four conditions for the proposed Privacy Shield to meet the standards of EU legislation and protect human rights during the gathering of intelligence. The leaked portions of the Article 29 assessment suggest that the group does not feel all the conditions have been satisfied, which means that it cannot support the European Commission's "adequacy decision"—essentially, a statement that Privacy Shield is good enough to be used.
Although that rejection would be a major blow for the European Commission, approval by the Article 29 group is not required to implement the Privacy Shield framework. The Commission would probably go ahead anyway, since it is under great pressure from the US government, and from companies on both side of the Atlantic, to bring in a replacement for Safe Harbour to resolve the present uncertainties.
The mandate for the German representatives of the Article 29 group seems to foresee that eventuality. As Piltz points out in his blog post, if the European Commission proceeds without fixing the problems of Privacy Shield, the Germans are instructed to demand that "the Article 29 Working Party shall support test cases and legal actions against the adequacy decision in order to find its way to the European Court of Justice." That's a serious threat, since a loss at the EU's highest court would kill off Privacy Shield, and leave the European Commission's overall approach to data transfers in tatters.
If the leak is confirmed by the Article 29's final assessment it would add to a growing chorus of disapproval. As Ars reported last month, leading digital rights organisations on both sides of the Atlantic called for the proposed Privacy Shield agreement to be sent back to the negotiators, as did the French Freedoms and Digital Observatory more recently.
The German Association for Data Protection said in a statement that it was "shocked" by the provisions of the Privacy Shield, while the Transatlantic Consumer Dialogue "urges the European Commission not to adopt the Privacy Shield."