On May 30, 2016, the European Data Protection Supervisor (EDPS), Giovanni Buttarelli, issued his Opinion on the EU-U.S. Privacy Shield, calling for “significant” improvements to the EU-U.S. Privacy Shield before it can be adopted by the European Commission (EC). According to the EDPS Opinion:
“The draft Privacy Shield may be a step in the right direction, but as currently formulated it does not adequately include, in our view, all appropriate safeguards to protect the EU rights of the individual to privacy and data protection also with regard to judicial redress. Significant improvements are needed should the European Commission wish to adopt an adequacy decision.”
The Opinion stated that in order for the Privacy Shield to be effective, it must provide adequate protection against indiscriminate surveillance by U.S. intelligence agencies and improve existing obligations regarding oversight, transparency, redress and data protection rights. In particular, the EDPS Opinion called on the EC to negotiate improvements to Privacy Shield in three main areas:
- integrating all key EU data protection principles so that the Privacy Shield will offer essential equivalence between EU and U.S. law;
- limiting derogations from the Privacy Shield’s provisions; and
- improving redress and oversight mechanisms contained in the Privacy Shield.
The Opinion also urged the negotiating parties to be unhurried in finding an adequate, long term solution, as it is essential for international organizations supplying goods and services in the EU to be absolutely clear about all the rules with which they must comply.
The EC began negotiating the Privacy Shield in October 2015, after the Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Safe Harbor data transfer agreement. The Privacy Shield is intended to replace Safe Harbor. The EDPS opinion follows and supports the concerns expressed in the European Parliament’s May 25, 2016 resolution (2016/2727 (RSP)), which called for the EC to reopen negotiations with the U.S. in order to improve perceived “deficiencies” in the EU-U.S. Privacy Shield.
After the CJEU invalidated the EU-U.S. Safe Harbor Agreement, the Article 29 Working Party assured organizations and individuals wanting to transfer data from the EU to the United States that they could rely on other mechanisms provided for in the 1995 Data Protection Directive, such as standard model clauses and binding corporate rules, to continue legally exporting data.
However, these alternative mechanisms suffer from some of the same deficiencies as did Safe Harbor, in particular the lack of restrictions on access to personal data by U.S. intelligence agencies. Last week, the Irish Data Protection Commissioner announced that it would refer the question of the legality of the use of standard model clauses as a basis of data transfer to the CJEU, thus calling into question their continued use in the long term.
Should the CJEU also invalidate the use of standard model clauses, which is by no means certain, approval of a final version of the Privacy Shield implementing the recommendations and addressing the concerns expressed in the Opinion of the EDPS and the Resolution of the European Parliament on the adequacy of the Privacy Shield will be critical for uninterrupted data flow between the EU and United States.
Like the recent Resolution passed by the European Parliament, the EDPS Opinion should contribute to the essential clarity for international organizations supplying goods and services in the EU regarding the precise rules with which they must comply in order to lawfully transfer personal data between the U.S. and EU.