The United States needs to appoint an independent ombudsperson who can deal with data complaints by EU citizens before 25 May 2018, the EU's data protection authorities said in a report published on Tuesday (5 December).

If it does not, the authorities said they would "take appropriate action", including going to court.

Student or retired? Then this plan is for you.

The data watchdogs are known collectively as the Article 29 Data Protection Working Party (WP29), named after the relevant article in the EU's data protection directive.

In their report, they took aim at the EU-US 'Privacy Shield', a scheme put in place last year after a previous data-exchange pact, 'Safe Harbour', was annulled by the Court of Justice of the EU (CJEU).

The self-certification system governs the use of data of European citizens by US companies like Google and Facebook.

"The WP29 acknowledges the progress of the Privacy Shield in comparison with the invalidated Safe Harbour Decision," the report said, which was the advisory body's first annual review of the scheme.

"However, the WP29 has identified a number of significant concerns that need to be addressed by both the commission and the US authorities," it added.

The WP29 called on the European Commission and the US authorities "to restart discussions" and to "immediately" set up an "action plan" that will address the WP29's concerns.

Although Privacy Shield was agreed already in mid-2016, the US has still not appointed an independent ombudsperson to deal with complaints from EU citizens – it still has a temporary one.

It also had questions about the legal powers of the ombudsperson, who would not be able to bring a case to court.

Moreover, the US would only "partially" reveal information about the relation between the ombudsperson and the intelligence community.

The original data-exchange pact, Safe Harbour, was annulled by the EU's highest court after revelations of mass snooping by US intelligence agencies of EU citizens.

The report said that "as long as the applicable procedures will remain classified and will not be shared, the WP29 will not be in a position to assess whether the ombudsperson is vested with sufficient powers to access information and to remedy non-compliance".

Oversight

The WP29 also said that the system, which is based on self-certification, "still lacks sufficient oversight and supervision of compliance in practice" by the US.

It expressed concern that a US oversight body, the Privacy and Civil Liberties Oversight Board, still had vacancies.

The report also criticised that the website about Privacy Shield was mainly targeted towards companies that need to comply with the rules, rather than to EU citizens that want to know about their rights.

It said that "the US authorities should strive to offer more information in an accessible and easily understandable form to the individuals regarding their rights and available recourses and remedies".

The WP29 is also worried about a difference of interpretation between the EU and US on what constituted "HR data", which under the scheme should benefit from extra safeguards.

It said that the US side saw HR data only as data of employees within the same company, while the WP29 saw HR data as "as any personal data concerning an employee in the context of an employer-employee relationship".

The report came after eight representatives from EU data protection authorities went on a fact-finding mission to the US in September.

Commission: system functioning correctly

The eight accompanied the commission, which in October already produced its own review of Privacy Shield.

Although the commission also noted that "the practical implementation of the Privacy Shield framework can be further improved", the general tone of its seven-page report was positive.

"The annual review has demonstrated that the U.S. authorities have put in place the necessary structures and procedures to ensure the correct functioning of the Privacy Shield," the commission report said.

According to the EU executive, "the United States continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield from the Union to organisations in the United States".

The commission also called on the US to replace the acting ombudsperson with a permanent one "as soon as possible", without giving a deadline.

Act, or face legal action

By contrast, the WP29 said that the appointment of the ombudsperson and the oversight board members needed to be resolved by 25 May 2018.

Other pending concerns should be "addressed" at the latest during the second annual review, which can be expected in the autumn of 2018.

If the US doesn't comply, the data protection authorities threaten to go to court, which could ultimately lead Privacy Shield to the same fate as its predecessor: annulment.

"In case no remedy is brought to the concerns of the WP29 in the given time frames, the members of WP29 will take appropriate action, including bringing the Privacy Shield Adequacy decision to national courts for them to make a reference to the CJEU for a preliminary ruling," it said.