European data protection regulators have broadly welcomed the EU-US Privacy Shield proposals but say that despite substantial progress, the European Commission has more work to do.

What’s the issue?

In October 2015, the Court of Justice of the European Union cast the future of data transfers from the EEA to the USA into doubt after striking down the Safe Harbor regime and indirectly questioning the validity of other data export tools. In early February 2016, the European Commission announced agreement of a new EU-US Privacy Shield to replace Safe Harbor and published draft proposals. The announcement was greeted with cautious optimism by businesses and with slightly less optimistic caution by regulators who said they needed to review the details before reaching a decision.

What’s the development?

The Article 29 Working Party (WP), comprised of European data protection regulators, has delivered its opinion on the EU-US Privacy Shield. It has welcomed the progress made as a “great step forward” but has stopped short of endorsing the current proposals.

Dividing its opinion into commercial and national security issues, the WP considers that the current proposals are difficult to understand, overly complex and contain causes for concern and the need for further clarification. On this basis, it urges the Commission to continue negotiations with theUSA and says it still has work to do to ensure that any adequacy decision really does provide EU personal data transferred to the USA with a level of protection equivalent to that in the EU.

What does this mean for you?

The European Commission is not bound by the WP’s views and will almost certainly proceed towards a decision of adequacy given the political and commercial considerations. However, without the backing of the regulators, the Privacy Shield is unlikely to give any real comfort to businesses because regulators have the ability to investigate data exports irrespective of any adequacy decision by the Commission. During its press conference, the WP said it did not know what would happen if the Commission were to go ahead with the Privacy Shield as currently drafted.

The WP has said it will not give its views on the validity of other data transfer mechanisms until the Commission has made its final decision of adequacy on the Privacy Shield. It is clear that for now, model contract clauses and BCRs for intra-group transfers remain valid data export mechanisms to the USA and that transfers taking place under the old Safe Harbor regime are illegal.

In other words, not much has changed.

Read more

The WP makes the following key observations on the current Privacy Shield proposals:

Commercial aspects

  • the data protection principles are inadequately reflected in the Privacy Shield. For example, the purpose limitation is unclear and leaves open the possibility of re-use of data and there is no mention of the data retention principle;
  • the use of terms is inconsistent (for example, what is meant by “processing” and by an “EU individual);
  • the availability of recourse for EU citizens in relation to the handling of their data has improved but the system proposed is too complex and will be hard for individuals to action. DPAs should be the natural point of contact in the event of any issues;
  • there needs to be a review mechanism to take into account the introduction of the GDPR.

National security aspects

  • the WP has set out four essential guarantees required to comply with European jurisprudence in relation to the processing of personal data for national security purposes:
    • processing must take place in accordance with clear, precise and accessible rules so that a well informed individual should be able to foresee what will happen to their data;
    • necessity and proportionality must be capable of being demonstrated;
    • there must be an independent oversight mechanism which is effective, impartial and able to carry out appropriate checks;
    • there must be effective remedies for individuals before an independent body;
  • the main concern of the WP is that bulk collection of personal data remains possible. Where this is massive and indiscriminate, it is not acceptable;
  • the WP welcomes the progress made with the introduction of the ombudsperson but is concerned that there are insufficient guarantees about the status, powers and, crucially, the independence of the role.