On April 13, 2016, the Article 29 Working Party released its opinion on the EU-US Privacy Shield. Having reviewed the draft Privacy Shield documents, which included an adequacy decision and supporting texts, the Working Party has now expressed several concerns with both (a) the ability of the Privacy Shield to adequately protect the rights of Europeans and (b) the inconsistencies and lack of clarity in the drafting of the Privacy Shield.
As you may recall, the Privacy Shield was developed as a response to the invalidation of the EU-US Safe Harbor program. Safe Harbor was previously the most widely used method of data transfer to permit the lawful transfer of data from the EU and European Economic Area to the US. Under EU law, the US fails to provide adequate data protections to permit the free flow of information and an approved transfer mechanism is, therefore, required to permit the sharing of data to the country. The Privacy Shield was developed to address this need and announced in February of this year. That said, the Working Party feels that it still needs some work.
Who is the Article 29 Working Party?
The Working Party serves as an advisory committee to the European Commission regarding data protection matters. It is composed of representatives from the various data protection authorities in each EU Member State, the European Data Protection Supervisor, and a representative from the European Commission. In its advisory role, the Working Party provides national-level expert advice regarding data protection, promotes the uniform application of data privacy legislation across the various EU Member States, Norway, Liechtenstein and Iceland, and advise the European Commission regarding any law that may impact data protection rights.
What does the Article 29 Working Party’s Think of the Privacy Shield?
In short, “meh.” While the Working Party welcomed the development of the Privacy Shield as an important step and appreciates the US government's offer of increased transparency, it still expressed several notable concerns, including in the following areas:
- Drafting: the documents are characterized as both “inconsistent” and “lacking clarity” in several areas;
- Timeliness: the Privacy Shield will need to be reviewed again following the application of the forthcoming General Data Protection Regulation (see here for more information on the GDPR);
- Protections: several key protections under EU data privacy law, including data retention requirements, automated processing protections, and coverage of data processors, are not adequately addressed;
- Onward Transfer: the Privacy Shield does not adequately address onward transfer of data from the US to a third country that lacks adequate data protection standards;
- Redress: the Ombudsman and description of redress mechanisms appear overly complex and difficult to be effective; and
- Continued Surveillance: the US has not agreed to stop massive and indiscriminate collection of personal data originating from the EU, which is a concern for the Working Party as such surveillance is not deemed necessary and violates what it views as fundamental rights data privacy rights.
So, What Now?
The European Commission will further consider the Working Party’s opinion. In the meantime, organizations desiring to transfer data from the EU to the US must rely upon one of the other data transfer methods that permit transfer of data from the EU to a country lacking adequate data protection safeguards, such as the US. Of the currently approved methods, the standard contractual clauses appear to be the most reasonable method for transfer outside of an organization, at this time. They are pre-approved contractual language that, once incorporated into an agreement (unchanged) and agreed to by the parties, permits the transfer of data between either two data controllers or a data controller and a data processor. That said, even the clauses are likely to face scrutiny in the coming months and years. Further, the clauses have their own difficulties given that some countries still require specific approval of the clauses before data transfers may take place.
Companies are advised to stay vigilant in this time of rapid change. Despite the evolving nature of this area, data protection authorities remain poised and ready to investigate and fine companies conducting data transfers absent appropriate safeguards.