On Wednesday, the EU’s Article 29 Working Party issued its much-anticipated statement on the viability of the proposed EU-US Privacy Shield. As we’ve detailed previously, EU and US officials reached agreement on the Privacy Shield arrangement, which was meant to serve as a replacement for the invalidated Safe Harbor program, back in February, and released details of the Privacy Shield scheme a few weeks later. Observers then began eagerly awaiting the Article 29 Working Party’s opinion on the Privacy Shield, because even though the group’s opinion is not binding on the European Commission – which is responsible for shepherding the Privacy Shield through the approval and adoption process – it nevertheless may prove influential as that process moves forward.
The Working Party’s statement begins by recognizing the “significant improvements brought by the Privacy Shield compared to the Safe Harbor” program, but nevertheless goes on to cite “strong concerns” about the security of the data that would be transferred under the Privacy Shield. More specifically, the Working Party believes that the Privacy Shield does not adequately address a number of data protection principles enshrined in EU law, such as purpose limitation (the requirement that personal data be processed for a specific purpose, and that additional processing be carried out in line with this purpose), data retention, and protection of data subjects from automated decisionmaking. Moreover, the statement claims that it may be too difficult for Europeans to resort to recourse mechanisms in the US if they feel their personal data has been misused. This last part of the statement may prove to be a major hurdle going forward, as granting Europeans the right to pursue such recourse was a cornerstone of the US approach to addressing EU data security concerns and, as such, facilitated the negotiations that ultimately led to the Privacy Shield agreement. Along those same lines, the statement evinces some skepticism that the Ombudsperson contemplated by the Privacy Shield as a recourse mechanism may not be sufficiently independent, as the Ombudsperson will work within the US Department of State. Perhaps unsurprisingly, the Working Party also is concerned that the Privacy Shield does not adequately foreclose the possibility of “massive and indiscriminate collection of personal data” exported to the US from the EU.
The statement also echoes the complaints of some practitioners in noting that that the Privacy Shield currently suffers from a “lack of clarity” owing to the fact that the details pertaining to the program are contained in a series of documents, thus making some of those details difficult to find. The Working Party further states that the Privacy Shield will have to be reviewed again in 2018, after the General Data Protection Regulation (GDPR) becomes law, in order to ensure that the Privacy Shield complies with the new privacy regime.
The Working Party’s concerns, as voiced in its statement, serve to underscore the likelihood that the Privacy Shield will face legal challenges even if it is finalized and implemented in the coming months. Companies that need to engage in cross-Atlantic data transfers should consider adopting standard contractual clauses or binding corporate rules to legitimize those transfers, as the Privacy Shield may not be a reliable means of legally exporting data out of the EU for some time, if ever.