The Article 29 Working Party of European Data Protection Authorities (“Art29WP”) held a conference on the EU/US Privacy Shield on Wednesday, 13 April 2016 and issued a statement on same. While it has welcomed the Privacy Shield as an improvement to the safe harbour regime, it has "strong concerns" over the commercial aspects and the access by public authorities to data transferred under the Privacy Shield.
In relation to the commercial aspects of the Privacy Shield, the Art29WP is concerned that the Privacy Shield does not provide an equivalent level of data protection to that which data subjects are entitled to under EU Data Protection Legislation. It highlights that some of the fundamental Data Protection principles have not been reflected, while others have been inadequately substituted. It specifically mentions that the purpose limitation principle as it applies to data processing is not clear, and is concerned that the data retention principle has not been expressly stated. It is also critical that the protections which should be afforded against automated individual decisions arising from automated processing have not been addressed.
In relation to public authority access, the Art29WP is particularly concerned that the US Office of the Director of National Intelligence has not provided sufficient details to exclude the possibility of massive and indiscriminate surveillance of EU personal data by US public authorities under the Privacy Shield. It is clear that the massive and indiscriminate collection of data “can never be considered as proportionate and strictly necessary in a democratic society”, and that while it acknowledges the threat of terrorism today, there remains a lack of conclusive jurisprudence on the collection of personal data and its use for the purpose of combatting crime, and it therefore awaits the Court of Justice of the European Union’s judgments on cases concerning massive and indiscriminate data collection.
While the Art29WP Statement is not binding, it will be of persuasive value to the EU Commission, and it appears that there is more work to be done on the text before it provides an equivalent standard of data protection to the EU. We will continue to monitor the developments of the Privacy Shield.