In a press conference on April 13, the chair of the EU Article 29 Data Protection Working Party (WP), Isabelle Falque-Pierrotin (also president of France’s Data Protection Authority [DPA], the CNIL) expressed concern regarding the Privacy Shield. Specifically, her concerns involved the (1) continued bulk collection of data for surveillance purposes that includes data associated with EU citizens, (2) lack of recognition of the data-retention principle in the Privacy Shield, and (3) independence and authority of the US Privacy Shield ombudsman who would deal with EU complaints.
The WP is still concerned about the possibility of a “massive and indiscriminate” bulk collection of EU citizens’ data. In addition, the DPAs still have various questions about onward data transfers, even though progress has been made on this topic. Chair Falque-Pierrotin said that the EU DPAs have raised several points with the EU Commission and the US administration. Some of these concerns have been met with informal unwritten assurances, but they cannot form an integral part of an adequacy decision.
Some of our immediate observations concerning this latest development follow.
- The EU Commission is not bound by this opinion, but it will make the process difficult for the Commission to approve the Privacy Shield. The EU Commission wanted the Privacy Shield framework to be operational by June, which is now almost impossible.
- If the EU Commission adopts the Privacy Shield framework against the opinion of the WP, this will increase the likelihood of a successful legal challenge and unilateral actions of the DPAs.
- The WP states that Binding Corporate Rules and the Standard Contractual Clauses for EU-US transfers can be used.
- The WP’s major concern seems to be the six exceptions under which the US authorities can still collect European data in bulk, including counterterrorism, cybersecurity, and detecting and addressing certain activities of foreign powers. It is questionable whether these exemptions would survive another review of the European Court of Justice.
- Germany’s DPAs are the most determined to send the Privacy Shield back to the drawing board, according to a leaked document posted on the website of the state commissioner for data protection of Baden-Württemberg last week, arguing that the Privacy Shield is not tough enough.
- The Irish government is concerned about the effect on jobs in Ireland if Privacy Shield rules become tougher, because many US companies with affiliated branches located in Ireland have such branches for the purpose of complying with the EU data protection regime
Further negotiations with the US government on a modified Privacy Shield will be difficult. The WP doesn’t negotiate with the US administration directly, and the EU Commission will be in charge. Further hearings at the EU Parliament will probably support the WP’s stance. If the European Court of Justice supports a legal challenge—which is entirely possible—this could have a ripple effect on other methods for EU-US data transfers, including the EU Standard (Model) Clauses and Binding Corporate Rules.