The Article 29 Working Party said changes need to be made to the EU-US Privacy Shield before it can be said to provide adequate data protection, as required under EU law when personal data is transferred from the EU outside of the European Economic Area.
The Working Party said that although there are "important improvements" in the privacy protections contained in the Privacy Shield compared to the previous safe harbor framework, it still has concerns.
It said the Privacy Shield does not protect sufficiently against bulk processing of EU citizens' data by US authorities. It said it is also still to be satisfied that a new ombudsperson, who would be tasked with handling complaints relating to the accessing of EU citizens' personal data by US intelligence agencies, would be independent.
"Given the concerns expressed and clarifications asked ... we believe there is still work to do and we urge the Commission to resolve these concerns, to identify the appropriate solutions and to provide the requested clarifications in order to improve the draft adequacy mechanism and ensure the protection offered by the Privacy Shield is essentially equivalent to that of the EU," Isabelle Falque-Pierrotin, chair of the Working Party, said.
The Working Party would like the European Commission to insert a "revision clause" into the Privacy Shield, she said. The Privacy Shield has been proposed with the requirements of the Data Protection Directive in mind but that Directive will be replaced by the General Data Protection Regulation, expected to be finalised later this week, which "will be more demanding in terms of protection", she said.
Falque-Pierrotin said that businesses can continue to use existing data transfer mechanisms, such as model contract clauses or binding corporate rules, to underpin data transfers to the US for now. She said the Working Party will outlined its views on the validity of those data transfer mechanisms after the Commission sets out its final decision on the Privacy Shield, which is expected in mid-June.
It is, however, "clearly illegal" for companies to rely on complying with the invalidated safe harbour framework as demonstrating compliance with EU law on data transfers, she said.
The Privacy Shield is a framework that EU and US officials hope can replace the previous safe harbor agreement which was invalidated by the EU's highest court in October last year.
Earlier this year the European Commission published a draft 'adequacy decision' which outlined its view that data transfers to the US made under the EU-US Privacy Shield would correspond to EU data protection law requirements. The privacy principles that businesses will have to comply with if they sign up to the Privacy Shield were also detailed in the documents published by the Commission at the time.
The Commission's draft adequacy decision has still to be formally adopted by the EU's College of Commissioners. In February when the EU-US Privacy Shield was first announced the Commission said that, once a draft adequacy decision was prepared, the new framework could be adopted "after obtaining the advice of the Article 29 Working Party and after consulting a committee composed of representatives of the member states" (the Article 31 Committee).