The Article 29 Working Party (“WP29”) has published its opinion on the EU-US Privacy Shield (“Privacy Shield”) and has concluded that although the proposed new arrangement is an improvement on Safe Harbor, it requires further work. The Privacy Shield was developed jointly by the European Commission and the US Department of Commerce to replace the Safe Harbor framework, which was declared invalid by the Court of Justice of the European Union in the Schrems case.
The various documents constituting the Privacy Shield were published by the Commission on 29 February in the form of a draft “adequacy decision”. These included the privacy principles that US companies receiving personal data originating from the EU will have to comply with, as well as written commitments by the US Government on enforcing the arrangement, including assurances on the safeguards concerning access to data by public authorities.
The WP29, an advisory group composed of representatives of the national data protection authorities, the European Data Protection Supervisor and the European Commission, adopted an opinion on the Privacy Shield draft adequacy decision on 13 April 2016.
The WP29, while welcoming the “major improvements” the Privacy Shield offers compared to the Safe Harbor decision, stated that it still had “strong concerns” on both the commercial aspects of the Privacy Shield, and the potential access by US public authorities to personal data transferred from the EU to the US under the Privacy Shield. It noted that some key principles of European data protection law, notably in relation to data retention and purpose limitation, are not adequately reflected in the Privacy Shield.
The WP29 also expressed concerns that the assurances from US authorities on limiting access to data by public authorities do not exclude “massive and indiscriminate collection of personal data originating from the EU” (which was one of the main criticisms of Safe Harbor arising from the Schrems case). Furthermore, the WP29 is concerned that the proposed “Ombudsperson” to be appointed to investigate complaints by EU citizens regarding the use of their data on US soil, is not vested with sufficient powers to provide EU citizens with an effective remedy.
The WP29 also noted that the Privacy Shield will need to be reviewed following the entry into force of the General Data Protection Regulation, in order to ensure that the enhanced protections for personal data set out in that Regulation are reflected in the Shield.
Although the recommendations of the WP29 are not binding on the Commission, the Commission is likely to take the group’s concerns seriously, particularly as such concerns could form the basis of future court challenges to the arrangement. In light of this, it is not clear whether the Commission’s initially expressed aim of formally adopting the decision by June 2016 is still feasible.
In the meantime, however, it appears clear that organisations based in the EU who need to transfer personal data to the US should continue to rely on one of the currently approved exemptions to the prohibition on the transfer of personal data outside of the EEA, such as obtaining data subjects’ consent, entering into data transfer agreements based on the EU Commission approved “Model Clauses”, or (for multi-national organisations) putting in place “binding corporate rules”.