The deal that’s supposed to give U.S. companies an easy(ish) way to handle the data of European customers and employees is—as it stands—a dud. That’s according to the EU data protection supervisor, Giovanni Buttarelli, who issued his official opinion on the beleaguered pact on Monday.
Buttarelli doesn’t have the power to kill the “Privacy Shield” deal, which was announced earlier this year as a replacement for the struck-down “Safe Harbor” arrangement. However, he is the top data protection adviser to EU lawmakers, and his rejection of the current Privacy Shield draft is shared by privacy regulators from across the bloc, as well as the European Parliament.
Representatives of the EU member states have so far not given their opinion on the Privacy Shield draft, which was the result of several panicked months of negotiations between the EU and the U.S.
Get Data Sheet, Fortune’s technology newsletter.
Safe Harbor was a self-regulatory register for U.S. companies who wanted to handle the personal data of EU citizens, through which the firms could say they adhered to EU-strength privacy standards. However, it was struck down last year by the European Court of Justice, because it did not guarantee real EU-strength protections for the privacy of those citizens. The Snowden revelations played a big role in this.
According to Buttarelli, Privacy Shield “as it stands is not robust enough to withstand future legal scrutiny before the Court.” In other words, when someone challenges it, it will fall like Safe Harbor fell, taking everyone back to square one.
“Significant improvements are needed should the European Commission wish to adopt an adequacy decision [to establish the Privacy Shield regime], to respect the essence of key data protection principles with particular regard to necessity, proportionality and redress mechanisms,” Buttarelli said in a statement.
“Moreover, it’s time to develop a longer term solution in the transatlantic dialogue.”
One of the big problems is that the U.S. intelligence agencies still retain the right to conduct mass surveillance on Europeans’ data under certain, rather broad conditions—for the purposes of investigating terrorism, cybersecurity, espionage and so on. EU law generally classifies non-targeted surveillance as disproportionate.
Buttarelli wrote in his opinion that the EU should get “additional reassurances” from the U.S. “in terms of necessity and proportionality, instead of legitimizing routine access” to data that has been transferred from the EU to the U.S.
He wrote:
… notwithstanding recent trends to move from indiscriminate surveillance on a general basis to more targeted and selected approaches, the scale of signals intelligence and the volume of data transferred from the EU, subject to potential collection and use once transferred and notably when in transit, may still be high and thus open to question.
Like other critics of the scheme, Buttarelli also said the role of the proposed “ombudsperson”—a new institution in the U.S. which would exist to hear the privacy complaints of EU citizens—would not be sufficiently independent, as currently described in the deal.
Buttarelli suggested self-regulation would not work in the long term to protect people in a “globalized digital world.” He said it would better for U.S. federal law to be updated to “clearly and concisely” identify the fundamental privacy rights that people (in theory) enjoy in the EU. After all, other countries have also had to update their laws in order to get European approval for the transfer of EU citizens’ data.
For more on privacy and surveillance, watch our video.
What’s more, he pointed out that the EU will in a couple years’ time have a new set of privacy rules in the form of the General Data Protection Regulation (GDPR), so the European Commission should be thinking about how a proper long-term deal with the U.S. might take that into account. Companies “should not be expected constantly to change compliance models,” he wrote.
The likelihood of the European Commission setting Privacy Shield in stone next month, as it hoped to do, now looks even slimmer than before. This is, of course, very bad news for U.S. multinationals, who are running out of ways to keep European data flowing to their native shores legally.
