Exceptions in the proposed EU-US Privacy Shield framework that would allow the US to carry out mass surveillance of EU citizens are "not acceptable," the Article 29 Working Party of EU data protection authorities said today in a press conference.

The Chairman of the group, Isabelle Falque-Pierrotin, explained that the Article 29 Working Party would look with "great interest" on the forthcoming ruling by the Court of Justice of the European Union (CJEU) on whether mass surveillance of EU citizens could be legal. If the CJEU finds that the surveillance carried out by GCHQ is unlawful, it would have a big impact on the national security exceptions included in Privacy Shield.

Falque-Pierrotin said that the data protection authorities also had some concerns about the independence and effectiveness of the Privacy Shield ombudsperson who will deal with complaints from Europeans about how their data has been used by the NSA.

However, the Article 29 Working Party called the proposed Privacy Shield in general a "great step forward" compared to the Safe Harbour framework it is designed to replace. But Falque-Pierrotin said "it is rather difficult to understand all the documents and annexes, as they are complex and not consistent." She went on: "we believe it would have been better to have something simpler and less complex."

Falque-Pierrotin pointed out that the imminent arrival of new data protection rules in the EU meant that the Privacy Shield needed some kind of review mechanism to allow it to be updated. Currently, there is no provision to do this.

The Article 29 Data Protection Working Party, which was set up under the 1995 Directive on the protection of personal data, is purely advisory, and the European Commission is not obliged to follow its advice.

Before making a final decision whether to proceed with the Privacy Shield framework, the Commission will wait to hear from another group set up under the 1995 Directive. The Article 31 Committee consists of representatives of the Member States, and therefore follows their policies, which are broadly in favour of Privacy Shield. The Article 31 Committee is expected to consider the Privacy Shield arrangement at meetings on April 29 and May 19 before issuing its opinion.

The European Commission must then decide whether to try to modify the current Privacy Shield proposal in the light of the Article 29 Working Party's comments, plus any made by the Article 31 Committee. The Commission told Ars that it is hopeful it will be able to give the go-ahead for Privacy Shield in June, which would then come into immediate effect. The European Parliament does not have a vote on this issue, which lies purely within the competence of the Commission.

Until then, the alternative transfer mechanisms, such as standard contractual clauses and binding corporate rules, can still be used for personal data transfers to the US. Falque-Pierrotin said that the Article 29 Working group would not be considering whether these were valid until after the European Commission had produced the final version of Privacy Shield.

Falque-Pierrotin admitted that "nobody knows" what will happen if the European Commission decides to proceed without addressing the most important concerns of the Article 29 Working Party. However, one possibility is that a legal challenge could be brought against the Privacy Shield arrangement that would ultimately come before the Court of Justice of the European Union. As Falque-Pierrotin said during today's press conference, a recourse to the CJEU "is always an option."

Since Safe Harbour was struck down by the CJEU largely because of concerns about mass surveillance, there is a real possibility that Privacy Shield will suffer the same fate unless the the Article 29 Working Party's concerns are adequately addressed. That would lead to even greater uncertainty for transatlantic data flows—something the European Commission and US companies will be keen to avoid.