Following the recent adoption of the EU-U.S. Privacy Shield adequacy decision by the European Commission, the Article 29 Working Party (Working Party) met to discuss the EU-U.S. Privacy Shield framework on July 25 and subsequently a statement was released summarizing their reaction to the EU-U.S. Privacy Shield framework agreement. While the Working Party welcomed the improvements brought by the Privacy Shield mechanism, it identified several remaining concerns regarding the commercial aspects as well as the extent of access by U.S. public authorities to data transferred from the EU. It also warned that it will give a thorough look at the operations and effectiveness of the Privacy Shield during the first planned annual joint review.
Concerning commercial aspects, the Working Party indicated that it regrets the lack of specific rules on automated decisions, the absence of a general right to object, and the uncertainty as to the application of Privacy Shield Principles to data processors. Working Party members further announced that they will issue guidance about data controllers’ obligations under the Privacy Shield, and proactively and independently assist data subjects with exercising their rights under the Privacy Shield mechanism, in particular when filing a complaint. Furthermore, the Working Party will provide comments on the citizens’ guide on enforcing their rights and input on the composition of the to be created European centralized body to which complaints against U.S. intelligence and security services will be submitted prior to their transfer to the U.S. Ombudsman that should deal with these complaints of EU citizens.
Government Access to Data
Regarding access by U.S. public authorities to EU data transferred to the U.S. under the Privacy Shield, the Working Party commented that it had expected stricter guarantees concerning the independence and the powers of the Ombudsperson who will oversee such access. It also stated that it regretted the lack of concrete assurances that bulk (mass and indiscriminate) collection of personal data would not take place.
The Working Party pointed to the first joint annual review as being a key milestone for evaluating the robustness and efficiency of the Privacy Shield mechanism. During the review, the Working Party members will assess whether the remaining issues have been solved and whether the safeguards provided under the Privacy Shield are workable and effective. According to the Working Party’s statement, the results of the first joint annual review may also have implications on transfer tools such as Binding Corporate Rules and Standard Contractual Clauses if it is determined that access to EU personal data by U.S. government agencies does not meet the Working Party’s approval.
The Working Party’s statement increases confidence that the EU Data Protection Agencies are likely to respond favorably to U.S. companies that have opted to self-certify their adherence to the EU-U.S. Privacy Shield Principles. U.S. companies that have determined that they would benefit from self-certification should therefore feel encouraged by the Working Party’s statement to start preparing the necessary activities and documents for their applications. The U.S. Department of Commerce will begin accepting applications as of Aug. 1, 2016.
However, it is also clear that the Working Party members are not fully satisfied that the Privacy Shield meets all of the objectives that they had outlined in their comments to the February 2016 draft of the Privacy Shield. Thus, it should be expected that more questions might be raised and inquires be conducted, to ensure that these objectives are met.