Microsoft is throwing its weight behind the EU-U.S. Privacy Shield agreement, which is intended to safeguard the privacy of European Union citizens when their personal information is exported to the U.S. for processing.
But a document leaked late last week suggests the proposed agreement does not have the backing of EU data protection authorities, who are meeting this week to finalize their position on it.
Microsoft will seek approval to conduct data transfers under the agreement, its Vice President for EU Government Affairs, John Frank, wrote in a blog post Monday.
He promised the company would respond to individual privacy complaints within 45 days, and comply with the recommendations of national data protection authorities in case of dispute.
However, the agreement does not go far enough, and U.S. and EU officials still have more work to do, Frank wrote: "Additional steps will be needed to build upon the Privacy Shield after it is adopted, ranging from additional domestic legislation to modernization of mutual legal assistance treaties and new bilateral and ultimately multilateral agreements."
The company delivered its verdict on the transatlantic data transfer deal just two days before European Union data protection authorities are due to deliver their own.
Privacy Shield was negotiated to replace the July 2000 Safe Harbor agreement, which the Court of Justice of the EU overturned last October, declaring it incompatible under EU privacy laws.
Those laws require that the personal information of EU citizens only be processed in countries where it can be accorded the same level of privacy protection as under EU law. The Safe Harbor Agreement was inadequate for that purpose, the CJEU found.
When the European Commission officials unveiled details of the new agreement with the U.S. in February, they said Privacy Shield answered all the CJEU's criticisms of Safe Harbor. They also published a draft "adequacy decision," the legal instrument required to add Privacy Shield to the list of data transfer mechanisms acceptable under the EU's 1995 Data Protection Directive.
In the draft, the Commission claims it has the support of the Article 29 Working Party, which brings together the EU's national data protection authorities.
The working party hasn't made its mind up yet, though: It has been conducting its own analysis of Privacy Shield since February and is due to finalize its position at a meeting on Tuesday and Wednesday.
German data protection authorities are against Privacy Shield, according to a briefing document accidentally published on their website last week. The document, posted by German lawyer Carlo Piltz to his blog, calls on the working party to reject Privacy Shield as inadequate under EU law.
Sign up for Computerworld eNewsletters.