Summary

On 13 April 2016 EU data protection regulators (in the form of the Article 29 Working Party, comprised of representatives from the data protection authorities of each EU member state) (“WP29”) announced in its much awaited opinion that it does not believe that the proposed EU-US Privacy Shield framework (“Privacy Shield”) goes far enough to protect the rights of EU citizens, for reasons connected with the ‘commercial aspects’ of the Privacy Shield and also US authorities’ access to EU citizens’ personal data.

There is no immediate impact for organisations of the WP29’s opinion, but it puts further pressure on the Commission to negotiate further amendments to the Privacy Shield framework before producing a final decision for adoption and increases uncertainty for all concerned.

What?

A data controller cannot transfer personal data outside of the EEA unless the jurisdiction it is transferring it to ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

For many years, transfers from the EU to the US were made under the (now invalidated) Safe Harbor framework, pursuant to a Commission decision that transfers made under the terms of that framework ensured an adequate level of protection. In Schrems last year, the European Court of Justice ruled that the Safe Harbor framework was invalid. Since then, the Commission has been negotiating its successor, the Privacy Shield, and earlier this year published the draft details, stating that it believed that data transfers pursuant to the US under the new framework would ensure an adequate level of protection. The WP29 has reviewed the draft Privacy Shield framework and disagrees with the Commission, believing that it does not go far enough to provide an essentially equivalent level of protection (to that enjoyed in the EU) for the reasons set out below:

  • the first conclusion was that Privacy Shield was overly complex and at times lacked clarity. The WP29 stated that something more simple would have been better.
  • some key data protection principles were not reflected in the draft decision or annexures or had substituted for inadequate alternative provisions, for example the application of the purpose limitation principles and the data retention principle were unclear.
  • there had been progress on onward transfer but it remained inadequate.
  • avenues of recourse were numerous so there was some improvement but the overall system was complex and difficult for the end-user.
  • a revision clause to take into account the new legal framework of the new GDPR should be incorporated into the Privacy Shield.
  • on national security issues WP29 identified four essential guarantees that would be necessary to meet EU requirements:
    • processing should be based on clear precise and accessible rules;
    • necessity and proportionality with regard to the legitimate objective pursued;
    • an independent oversight mechanism must exist (a judge or any independent body, as long as it had sufficient ability to carry out the essential checks)
    • effective remedies must be offered to individuals to defend their rights in front of an independent body.
  • the WP29’s conclusion in relation to national security was that two major concerns remained. Firstly there remains the risk of “massive and indiscriminate surveillance” for public security reasons and this was not acceptable. Secondly the independence of the Ombudsperson under the Privacy Shield was not guaranteed.

Conclusion

WP29 first noted the major improvement of the Privacy Shield compared to the invalidated Safe Harbor. The Privacy Shield was a “great step forward”. There was still work to do however, and WP29 urged the Commission to resolve these concerns, identify appropriate solutions and to provide the requested clarifications in order to improve the draft adequacy mechanism and to ensure that the protection offered by the Privacy Shield was indeed essentially equivalent to the EU.

So what?

There is no immediate impact for organisations of the WP29’s opinion. The position remains as it has been since the European Court of Justice ruled Safe Harbor invalid in Schrems last year: the only current legal way to transfer personal data to the US is by making the transfer pursuant to European model clauses (“EMCs”) or binding corporate rules (“BCRs”) (unless a derogation applies, which will be rare in practice). Any organisation still transferring personal data to the US pursuant to the invalidated Safe Harbor framework is transferring personal data in breach of European data protection legislation.

Data protection regulators in Germany and Spain have moved on enforcement for those who have not adopted alternatives to Safe Harbor. All those relying on EMCs and BCRs will be keeping their fingers crossed that an overall solution can be found so that those solutions are not also adversely impacted. Organisations can take some comfort at this point in the fact that, at the press conference announcing its opinion, WP29 confirmed that EMCs and BCRs are still valid and that it would not re-consider their validity until the Commission had reached its ‘final decision’ on Privacy Shield. However, many have speculated that the Court’s reasoning in Schrems could apply equally to EMCs and BCRs and therefore this deferral until the final decision on Privacy Shield means it is difficult to assume long term comfort even from those mechanisms.

WP29 stressed that the Commission’s negotiations with the US regarding the Privacy Shield framework are ‘ongoing’ at that new propositions can be brought to the table. Many spectators will be hoping that the Commission is successful in negotiating further assurances/amendments to the Privacy Shield which address the concerns raised by WP29 before presenting a final version for adoption. It would be an unfavourable position if the EU were to adopt a law which the regulators of that law believed was insufficient to protect its citizens’ rights. Ultimately, once in force, if and when Privacy Shield is challenged in legal proceedings, it is the courts not WP29 who will decide whether Privacy Shield is valid (or not, like its predecessor), so there will always be uncertainty until that time.