Further to our recent post discussing the passing of the new EU Safe Harbour Agreement (otherwise known as the ‘Privacy Shield’), the Article 29 Data Protection Working Party has now released a detailed statement providing its view on the Privacy Shield.
The statement sets out significant concerns regarding the protections that the Privacy Shield provides in EU-US data transfers. To satisfy the Working Party, further changes would need to be made to clarify the protection provided in a number of areas, the most important of which are set out below.
International third-party data transfers
Where data is subsequently transferred from the US to third-country recipients, the statement highlights that the effectiveness of EU data protection principles should not be diminished or circumvented. Instead, every organisation that is covered by the Privacy Shield should be obliged to consider the requirements of the data importation legislation of the receiving country and must notify an EU controller if there is any substantial risk that the data protection level may be reduced.
Complexity and inconsistency
The statement expresses concerns around the complexity and inconsistency of the proposed arrangements, which may lead to difficulties in ‘data subjects’ seeking appropriate redress. Concerns were expressed that these difficulties would make the protections ‘ineffective’.
The statement expressed the view that the Privacy Shield does not currently contain an appropriate reflection of the data retention principle. The Working Party is concerned that this may provide organisations with the opportunity to retain personal data indefinitely, which is of significant concern.
The statement concludes by urging the Commission to address the concerns expressed and identify appropriate solutions.