THIS ARTICLE WAS FIRST PUBLISHED ON LEXIS®PSL IP & IT ON 20 APRIL 2016. CLICK FOR A FREE TRIAL OF LEXIS®PSL

IP & IT analysis: The EU Article 29 Data Protection Working Party (the Working Party) recently proposed changes to the EU-US Privacy Shield agreement (Privacy Shield). Vikki Hoyle, associate, and Hayley Lawrence, solicitor, both in the Regulatory and Compliance Group, explain the latest developments.

As anticipated, the Working Party, often known as WP29, a group of the EU’s data protection regulator met in Brussels to discuss the European Commission’s Privacy Shield scheme, the proposed replacement for Safe Harbor.

What has the Working Party said about the Privacy Shield?

On 13 April 2016, the Working Party delivered their long awaiting opinion 01/2016 on the Privacy Shield draft adequacy decision via a press conference. Although the Working Party has welcomed the significant improvements that the Privacy Shield has made on Safe Harbor—in particular addressing many of Safe Harbor’s shortcomings which the Working Party had identified in 2014—it also has a number of criticisms of the new mechanism.

Key among these is the lack of clarity and consistency created by embodying the basis of the Privacy Shield across several documents and failing to use terminology which is consistent with the EU legislation.

The Working Party believes that the inconsistency of the language used opens up a number of loopholes which could enable parties to circumvent their obligations under EU law.

What other issues has the Working Party raised?

The Working Party has a number of additional concerns with the Privacy Shield, including:

  • the absence of any express reference to the data retention principle
  • the lack of protection against automated processing
  • the absence of safeguards for onward transfers of data from the US to other countries
  • the overly complex and therefore ineffective redress mechanisms, and
  • the need to agree the specific mechanics of the annual joint review of the Privacy Shield well in advance of the first review

As the Privacy Shield has been drafted in the context of the existing data protection framework, the Working Party has also highlighted that following the adoption of the new General Data Protection Regulation (GDPR) by the EU Parliament on 14 April 2016, the Privacy Shield will need to be reviewed in two years’ time when the GDPR comes into force to ensure that it remains consistent with the EU legislative framework.

However, by far its biggest concern is that the Privacy Shield still does not prevent massive and indiscriminate collection of EU personal data by US public authorities and that the newly created ombudsperson neither has adequate powers nor is sufficiently independent to provide a satisfactory remedy for EU individuals whose personal data is misused.

What impact will this have on adoption of the Privacy Shield?

It creates something of a stalemate—the Working Party cannot veto the Privacy Shield, but at the same time the Commission cannot bind the Working Party members—representatives of the EU national data protection authorities (DPAs)—by its finding that the Privacy Shield offers adequate protection.

Given that the Working Party is made up of the DPAs, who are responsible for enforcing EU data protection legislation at national level, its opinion is indicative of the approach the DPAs are likely to take in relation to data transfers made under the Privacy Shield.

The Working Party’s lukewarm response also makes it more likely that the Privacy Shield will be challenged before the Court of Justice of the European Union (CJEU) again, possibly by Max Schrems (the litigant who mounted the original challenge) who has reportedly described the Privacy Shield in damning terms as ‘lipstick on a pig’ (see C-362/14Schrems v Data Protection Commissioner [2015] All ER (D) 34 (Oct)).

The Working Party has asked the Commission to:

‘resolve its concerns, identify appropriate solutions and provided the requested clarifications in order to improve the draft adequacy decision and ensure the protection offered by the Privacy Shield is indeed essentially equivalent to that of the EU.’

However, in reality, the Commission cannot make any changes to the Privacy Shield without first negotiating these with the US.

While the US may be open to some of the Working Party’s suggestions—such as agreeing a set of clear definitions and including them in a glossary—it is difficult to see the US agreeing to accept any further restrictions on the ability of its secret services to carry out mass surveillance for the purposes of national security.

Will the Commission adopt the Privacy Shield without addressing the Working Party’s concerns?

The Commission is under a significant amount of pressure to adopt the Privacy Shield and end the current legal uncertainty. If the US refuses to negotiate any amendments to the agreed framework, the Commission may have no alternative.

What will happen if it does?

To quote Isabelle Falque-Pierrotin, the chairman of the Working Party, ‘nobody knows’.

It will depend to some extent on the outcome of the cases currently before the CJEU regarding massive and indiscriminate data collection. If the CJEU rules that such data collection is illegal, it opens the door for a successful legal challenge to the Privacy Shield.

What’s next for the Privacy Shield?

The Article 31 Committee (which consists of representatives of the Member States) is expected to consider the Privacy Shield at its meetings on 29 April and 19 May 2016 before issuing its opinion (which is non-binding on the Commission).

The Commission’s final decision is currently expected to be issued in mid-June 2016.

In light of the current legal uncertainty, what approach are the DPAs taking?

Back in February 2016, the French DPA, the Commission Nationale de l’Informatique et des Libertés, issued a formal notice to Facebook ordering it to comply with the French Data Protection Act within three months—including requiring it to stop transferring data to the US on the basis of Safe Harbor. There have also been unconfirmed reports that the German DPAs have already begun to take enforcement action against organisations which continue to use Safe Harbor.

The Information Commissioner’s Office hasn’t yet commented on the Working Party’s opinion. However, its previous position was that it wouldn’t be ‘rushing to use [its] enforcement powers’ as ‘[t]here is no new and immediate threat to individuals’ personal data that has suddenly arisen that we need to act quickly to prevent’.

The Working Party has confirmed that model contract clauses and corporate rules are valid and binding and businesses can rely on these for the purposes of transatlantic data transfers. However, the Working Party has also indicated that it intends to review both mechanisms once the Privacy Shield has been finalised.

What should businesses be doing now?

For the time being at least, the advice remains that UK organisations should review what data they are transferring, where it is being transferred to and what arrangements have been put in place to ensure that it is adequately protected, without making any ‘knee jerk’ changes to those arrangements.

US organisations should start reviewing their existing data protection policies and procedures to assess whether they comply with the privacy principles and updating these where appropriate.

Organisations on both sides of the Atlantic will need to keep up to date with the developments on the Privacy Shield to ensure that they are ready to implement any necessary changes as soon as the mechanism is finalised.