EU Data Protection Authorities demand improvements before EU – US transfer mechanism will be approved.
The Article 29 Working Party (“WP29“), which comprises the national data protection authorities of the EU member states, issued a statement on Wednesday strongly criticising the draft “EU – US Privacy Shield” proposal. Privacy Shield is intended to be the replacement to the defunct Safe Harbor scheme, which allowed EU companies to legally export personal data to the US.
Whilst WP29 accepts that, in its current form, Privacy Shield represents a significant improvement over Safe Harbor, it believes it does not go far enough in offering EU citizens an adequate level of protection for their personal information. Crucially, WP29 considers that Privacy Shield does not sufficiently address the massive and indiscriminate collection of personal data by the US authorities which was the precipitating factor in the Schrems case which brought down Safe Harbor.
In summary, the specific criticisms voiced by WP29 are:
- Lack of clarity – Privacy Shield is comprised of various documents and annexes, making information hard to find and at times inconsistent;
- Lack of key data protection principles – some of the central principles of European data protection law, such as purpose limitation and data retention, are not sufficiently covered by the proposal;
- Onward transfers – the proposal does not ensure that the same standards are applied by third country recipients who receive EU personal data from a Privacy Shield entity;
- Complex redress mechanism – EU citizens may not be able to effectively defend their rights in the face of a complex recourse mechanism which for many will be in a different language;
- Indiscriminate data collection – there is insufficient detail about how the massive and indiscriminate surveillance of individuals by US authorities will be curtailed. In WP29’s view, such surveillance can never be considered proportionate or necessary;
- Ombudsperson not independent – WP29 welcomes the creation of an Ombudsperson role to handle and solve complaints raised by EU citizens. However, it is concerned that this role will not be sufficiently independent from US authorities.
The statement also concluded that, even if Privacy Shield is approved as an adequate mechanism for data transfers under current legislation, a review of its efficacy will be needed following the entry into application of the General Data Protection Regulation (“GDPR“) in 2018. This appears to be a strong hint from WP29 that in its current form, Privacy Shield would almost certainly not be GDPR compliant.
As the Privacy Shield proposal is still being finalized, WP29’s assessment is not fatal. However, it is a clear signal to the EU Commission and to their partners in the US that significant improvements are needed if the scheme is to earn the adequacy decision which will make it a legal mechanism for data transfers.
In the meantime, WP29 has repeatedly stated that Binding Corporate Rules and the EC standard contractual clauses (or ‘model clauses’) can be relied upon for data transfers, and represent a safe alternative for former Safe Harbor companies. Although both of these schemes will be reviewed by WP29 in due course, it will not make any decision about them until after Privacy Shield has been dealt with.