On April 13, 2016, the Article 29 Data Protection Working Party (Working Party) refused to endorse the proposed Privacy Shield agreement between the United States and European Commission (Commission) slated to replace, as early as this summer, the recently invalidated “Safe Harbor” agreement between the two powers. The Working Party cited a need for revisions and clarifications of several points in the proposal before it would bless the Privacy Shield, in part because “some key data protection principles as outlined in European law are not reflected in” the proposal.
Among other things, the Working Party took issue with the national security exceptions in the proposed Privacy Shield, which, according to its opinion, would allow for “massive and indiscriminate collection of personal data originating from the EU” in violation of the fundamental rights of its citizens. With respect to these exceptions, the Working Party noted that it will look to forthcoming rulings of the European Court of Justice that could shed light on the legality of mass data collection in the EU. Another Privacy Shield item with which the Working Party took issue was the complexity of the proposed redress mechanism. The Working Party suggested clarification of the redress process prior to the ratification of the Privacy Shield.
Though the Working Party, which was set up under the 1995 Directive on the protection of personal data, is strictly advisory, the Commission may make revisions based on its suggestions. This could prolong the current period of EU-US data protection uncertainty. Furthermore, if the Commission chooses not to act on these suggestions, flaws cited by the Working Party may be targeted by plaintiffs claiming data protection violations in the future.
If you have any questions about data privacy and regulatory compliance, please contact one of our Cybersecurity & Data Privacy attorneys. Click here to view the full text of the Working Party’s opinion and here to view our previous alert about the invalidation of the Safe Harbor.