Article 29 Working Party demands improvements to Privacy Shield (14/04/2016)

The Article 29 Working Party (WP29) held a Press Conference today, Wednesday 13 April 2016, welcoming the improvements brought by the Privacy Shield compared to the Safe Harbour decision, but calling for further improvements to ensure the protection offered by the Shield is essentially equivalent to that offered in the EU.

The WP29 has strong concerns, in particular, with regard to the possibility of bulk collection of personal data originating from the EU, and insufficient guarantees concerning the independence of the Ombudsperson.

Opinion
In assessing the Shield, the Chair of the EU Data Protection Working Party, Isabelle Falque-Pierrotin (also President of France’s DPA, the CNIL) stated that the WP29 took into account the EU Data Protection Directive 95/46/EC, as well as the fundamental rights to private life and data protection enshrined in Article 8 of the European Convention on Human Rights, Articles 7 and 8 of the Charter of Fundamental Rights, and the Schrems' judgment by the Court of Justice of the European Union (CJEU).

The WP29 complained of the complexity and inconsistency of the Shield, which is contained in a set of documents and letters, indicating that the information could have been consolidated better.

Concerning the commercial aspects of the Shield, the WP29 considered that some key European data protection principles are not reflected in the draft adequacy decision and the annexes or have been substituted by alternative notions. For instance, the WP29 noted that the application of the purpose limitation principle to the data processing is unclear. In addition, in regard to recourse of data subjects to exercise their rights, the WP29 considers that too many avenues exist, making it difficult for data subjects to know who to complain to. Further clarification of the various recourse procedures is therefore needed. The WP29 believes that national EU Data Protection Authorities should be considered the natural point of contact for data subjects. The WP29 also highlighted that the text of the Shield will have to be reviewed in light of the new EU GDPR, which enters into force in two years' time, and imposes higher standards of data protection.

Concerns
The WP29 have two main concerns regarding the Shield, including:

1. Bulk collection of personal data originating from the EU: The possibility of massive and indiscriminate surveillance of individuals is not acceptable. The WP29 noted that there is a growing tendency to collect such information in light of the fight against terrorism. It looks with great interest to see how the CJEU will deal with this issue in forthcoming rulings; and

2. The independence and effectiveness of the powers of the Ombudsperson: The WP29 considers the establishment of an Ombudsperson to be a significant improvement for EU individuals' rights with regard to US intelligence activities, but is concerned that this new institution is not sufficiently independent and is not vested with adequate powers to effectively exercise its duty.

Essential Guarantees
The WP29 highlighted four "essential guarantees" which must be satisfied in order to meet Europe's standards for data protection, including:

  1. Processing should be based on clear, precise and accessible rules
  2. Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated
  3. An independent and effective oversight mechanism should exist that is both effective and impartial
  4. Effective remedies need to be available to individuals

Conclusion
Major improvements exist in the Shield over the Safe Harbour Decision, and the WP29 believes it is "a great step forward" but that there is still work to do. They urge the European Commission to resolve the concerns raised in order to improve the Shield and ensure the protection offered by the Shield is essentially equivalent to that offered in the EU.

The Opinion of the WP29 is purely advisory, and the European Commission is therefore not obliged to follow its advice. However, in the event that the European Commission decides to proceed without addressing the concerns of the WP29, the DPAs could bring a legal challenge against the Shield that would ultimately come before the CJEU. The Chair of the WP29 stated that the European Commission is expected to publish its final decision on the Shield by June, but it may be September.

In the meantime, the WP29 has confirmed that alternative transfer mechanisms, such as the model contractual clauses and binding corporate rules, can still be used for transfers of data to the US.

Further Information
The two documents published by the WP29 on the Shield today are available below:

1. Opinion 01/2016 on the EU-US Privacy Shield

2. European Essential Guarantees