European Data Protection Authorities have announced that, in their view, further work is required to ensure the proposed EU-US Privacy Shield provides sufficient protection to European data transferred to the United States.
In a press conference this afternoon, the Article 29 Working Party (Art 29WP) - the body of European Data Protection Authorities - confirmed it would not approve Privacy Shield in its current form and urged the European Commission to resolve some key issues and provide further clarifications.
However, it is not clear whether the European Commission will seek to re-open its negotiations with the United States government to accommodate the non-binding opinion of the Art 29WP. Isabelle Falque-Pierrotin, Chairman of the Art 29WP and French Data Protection Authority, implied at the press conference that it does not expect to issue any further opinion on Privacy Shield and that they will await the European Commission's formal position on the adequacy of the scheme.
While this leaves organisations with continued uncertainty regarding international transfers of personal data – until at least June or possibly September – there was some comfort as it was confirmed that other solutions for international transfers currently remain unchanged following this review.
The EU-US Privacy Shield is a framework legal solution to permit the transfer of personal data from the European Economic Area to organisations in the United States that have signed up to the scheme.
The new framework, which achieved political agreement between the EU and US in February, is to act as a replacement for the old Safe Harbor scheme. Safe Harbor was declared invalid by the Court of Justice of the European Union in October 2015 following a case brought by Austrian law student Max Schrems.
However, the political agreement on Privacy Shield marked the end of a two-year long negotiation on EU-required improvements to the Safe Harbor scheme : with the accelerated timescale following the Court decision welcomed by the Art 29WP as "very positive".
Many of the negotiated improvements in the Privacy Shield scheme met with approval from the Art29 WP, which also described the Privacy Shield as a "great step forward".
However, there were a number of areas that the Art 29WP identified as unacceptable, including in the area of national security and protection of European data against mass surveillance in the United States. This is an area where criticism of Privacy Shield has been strongest since details of the scheme were published.
Need for Improvement
In addition to criticising the overall structure of the Privacy Shield framework as too "complex", the Art 29WP categorised its areas for further work to two areas:
1. Commercial aspects of Privacy Shield: While "important improvements" have been made in relation to areas such as individual rights and onward transfers of European data from the US, the Art 29WP's view was that:
- some key European data protection principles are not accurately or completely transposed into the Privacy Shield, including purpose limitation and data retention; and
- the recourse mechanisms available to European citizens are too complex and difficult and so were not a suitable redress.
In addition, the Art 29WP urged that the terms of Privacy Shield should require it to be revised in two years time, once the General Data Protection Regulation (which is due to receive its final legislative approval on Thursday) comes into effect.
2. National security: In assessing Privacy Shield, the Art 29WP has produced a separate "essential guarantees" working paper that identifies the key protections that are afforded to European personal data processed in connection with national security from European jurisprudence. It is against these guarantees that all surveillance involving European personal data must be assessed, both in the United States and elsewhere.
The Art 29WP identified two key concerns in the Privacy Shield:
- the possibility that bulk collection of personal data was permitted within the framework of Privacy Shield without protection against massive and indiscriminate surveillance was "not acceptable"; and
- there are insufficient guarantees regarding the status and effective powers of the Ombudsman mechanism established under Privacy Shield to oversee complaints regarding US law enforcement surveillance practices to ensure the Ombudsman's true independence.
The formal Art 29WP opinion is due to be released later this afternoon – and was not available at time of publication. This will likely confirm that the Art 29WP thinks the Privacy Shield does not ensure an "essentially equivalent" level of protection for European personal data when processed in the United States. This would be consistent with apparent extracts of the opinion that appeared in press reports last week following a leak by German Data Protection Authorities.
The next formal stage is the delivery of an opinion on the adequacy of Privacy Shield by the Article 31 Committee – representatives of each of the European Member States.
This will be followed by the formal decision of the European Commission through adoption or rejection by the College of Commissioners. At this time it is not clear whether political and business pressure will steer the Commission towards adoption of the Privacy Shield regime without further refinement or re-negotiation.
Indeed, this afternoon a spokesman for the European Commission tweeted "European Data Protection Authorities welcome 'significant improvements' by #PrivacyShield - we aim for adoption in June".
However, should the European Commission proceed with adoption in the face of this Art 29WP opinion it is likely that decision will face the risk of a further challenge in the European courts. Indeed, Falque-Pierrotin implied as much during this afternoon's press conference.
The advice for businesses who rely on transfers to the United States is to continue to watch developments regarding Privacy Shield but that the other legal solutions for international transfer of personal data that businesses should have adopted following the invalidation of Safe Harbor continue to be valid.