UK customer data 'is still at risk' despite US deal

Industry experts have hit out at the new transatlantic data transfer deal – hailed as a “major achievement” by EU justice commissioner Věra Jourová – insisting it will do little to rebuild confidence in the data market.
The new Privacy Shield agreement, unveiled yesterday, is designed to replace the safe harbour deal which was ruled illegal in October last year. However, it is only a “political agreement”, meaning that until it is finalised – which could take up to three months – companies transferring personal data between the EU and US could still be acting illegally.
Although the UK Information Commissioner’s Office has ruled out taking enforcement action yet, some other EU states have been less forgiving.
Hamburg’s Commissioner for Data Protection Johannes Caspar has said his office has asked about 40 companies for information concerning their transfer of data to the US as it sought to ensure they had complied with the October court ruling that safe harbour is illegal. A far cry from the stance adopted by Jourová (pictured).
And REaD Group chief executive Jon Cano-Lopez reckons it will do little to rebuild consumer confidence over data ownership.
He said: “Many questions about data privacy and ownership still hang in the balance. Under the agreement, the likes of Google and Facebook can continue to hoard personal information on EU citizens, with Privacy Shield simply marking yet another chapter in a long running battle to establish who actually owns our data.
“According to an initial statement, US access to EU data will supposedly be ‘regularly’ monitored. But is a joint annual review really enough to ensure the protection of EU citizen data? I have serious doubts over the robustness of the new framework and believe that any immediate impact will be negligible.”
Cano-Lopez believes the terms of the initial agreement are simply to vague. “Can anyone truly consider it reasonable to visit a price comparison site based in Blackburn on Tuesday and get a call from a Miami based call-centre on Thursday? I think not. This is certainly not the way to engender trust in consumers.”
Meanwhile Cyber Security Partners managing director Stuart Robb maintains there is still a significant level of demystification that needs to take place for businesses and consumers alike.
He said: “For consumers, there have been some reassurances over privacy as the US has given assurances there will not be indiscriminate surveillance. However, ‘necessary and proportionate’ still leaves it unclear as to what level of protection any individual is afforded.
“For businesses, the situation remains equally, if not more, ambiguous. Until we get more clarification, the industry is in no position to move forward with confidence. As it stands, if you are a company that transfers sensitive data to the US, you are still very much in a risk zone. Needless to say we eagerly await the views from the data protection regulatory bodies.”