Earlier today the Article 29 Working Party (29WP) published its response to Privacy Shield, the European Commission’s proposal to replace Safe Harbor for data transfers to the United States.

Whilst the 29WP’s statement (PDF) welcomes a number of “significant improvements” over Safe Harbor, the 29WP calls on the European Commission to address a number of issues:

  • A lack of clarity and inconsistency in terminology across the various documents that make up Privacy Shield
  • A failure to properly reflect the data protection principles, as set out in the Data Protection Directive
  • A concern over the effectiveness of the proposed recourse mechanisms for data subjects who wish to complain about the way in which their data is being processed
  • Concerns over the strength of the reassurances provided by the United States in relation to access to data by surveillance agencies.

The 29WP also notes that Privacy Shield will need to be reviewed following the General Data Protection Regulation (GDPR) coming into force in 2018 to ensure that the Privacy Shield meets the more onerous requirements of the GDPR.

What does this mean for Privacy Shield?

The 29WP’s concerns were perhaps inevitable, given some earlier criticisms of Privacy Shield.

However, the Commission is now faced with a difficult decision. Does it delay the introduction of Privacy Shield and address the 29WP’s concerns head on by seeking changes and further assurances from the United States, or does it ignore the concerns and press on with the approval of its draft adequacy decision knowing that, whatever it does, Privacy Shield is likely to be challenged in the courts?

What is clear is that organisations that rely on transfers of personal data to the United States for their day to day business are faced with continued uncertainty about how such transfers can be carried out lawfully.

The Commission is yet to respond to the 29WP’s statement. In the meantime, we await the output of the 29WP’s review of the legality of the Standard Contractual Clauses (SCCs) and whether the 29WP considers that the concerns expressed by the CJEU in the Schrems case also undermine the Commission’s findings of adequacy in relation to the SCCs.