Microsoft is throwing its weight behind the EU-U.S. Privacy Shield agreement, which is intended to safeguard the privacy of European Union citizens when their personal information is exported to the U.S. for processing.
But a document leaked late last week suggests the proposed agreement does not have the backing of EU data protection authorities, who are meeting this week to finalize their position on it.
Microsoft will seek approval to conduct data transfers under the agreement, its Vice President for EU Government Affairs, John Frank, wrote in a blog post Monday.
He promised the company would respond to individual privacy complaints within 45 days, and comply with the recommendations of national data protection authorities in case of dispute.
However, the agreement does not go far enough, and U.S. and EU officials still have more work to do, Frank wrote: "Additional steps will be needed to build upon the Privacy Shield after it is adopted, ranging from additional domestic legislation to modernization of mutual legal assistance treaties and new bilateral and ultimately multilateral agreements."
The company delivered its verdict on the transatlantic data transfer deal just two days before European Union data protection authorities are due to deliver their own.
Privacy Shield was negotiated to replace the July 2000 Safe Harbor agreement, which the Court of Justice of the EU overturned last October, declaring it incompatible under EU privacy laws.
Those laws require that the personal information of EU citizens only be processed in countries where it can be accorded the same level of privacy protection as under EU law. The Safe Harbor Agreement was inadequate for that purpose, the CJEU found.
When the European Commission officials unveiled details of the new agreement with the U.S. in February, they said Privacy Shield answered all the CJEU's criticisms of Safe Harbor. They also published a draft "adequacy decision," the legal instrument required to add Privacy Shield to the list of data transfer mechanisms acceptable under the EU's 1995 Data Protection Directive.
In the draft, the Commission claims it has the support of the Article 29 Working Party, which brings together the EU's national data protection authorities.
The working party hasn't made its mind up yet, though: It has been conducting its own analysis of Privacy Shield since February and is due to finalize its position at a meeting on Tuesday and Wednesday.
German data protection authorities are against Privacy Shield, according to a briefing document accidentally published on their website last week. The document, posted by German lawyer Carlo Piltz to his blog, calls on the working party to reject Privacy Shield as inadequate under EU law.
The German briefing document calls for the working party's executive summary to state: "Until these issues are addressed, the WP29 considers it is not in a position to reach an overall conclusion on the draft adequacy decision. It stresses that some of the clarifications and concerns – in particular relating to national security – may also impact the viability of the other transfer tools."
It also wants the working party report to conclude: "Therefore, the WP29 is not yet in a position to confirm that the current draft adequacy decision does, indeed, ensure a level of protection that is essentially equivalent to that in the EU."
The German delegation wants the European Commission to remove from the adequacy decision any references to the Working Party's approval, and it wants Privacy Shield to be referred to the CJEU if the Commission goes ahead without taking into account the working party's criticisms, according to the document downloaded by Piltz. The German authorities have since removed copies of the document from their websites, he wrote Friday.
The contents of the leak did not surprise Aaron Tantleff, intellectual property attorney at Foley and Lardner.
"The purpose of Privacy Shield was to ensure that there was a mechanism in place to ensure a level of protection in the U.S. that is essentially equivalent to that in the EU. Based upon the current draft of the Privacy Shield framework agreement, I can see how one may find that the current draft does not appear to satisfy this requirement," he said.
The data protection authorities don't get the last word on Privacy Shield. Their opinion is only advisory, and there are other bodies that have yet to weigh in, including the European Parliament.