In its recent Report on the Privacy Shield, the Article 29 Working Party (WP29) recognised the progress of the Privacy Shield in comparison with the invalidated Safe Harbour, and the efforts made by the U.S. authorities and the Commission to implement the Privacy Shield. However, the WP29 identified a number of concerns. Like the European Commission (EC), in its first annual review of the EU-US Privacy Shield, the WP29 called for the appointment of a permanent Privacy Shield Ombudsperson (and further explanation of the rules of procedure including by declassification), and filling the remaining positions on the Privacy and Civil Liberties Oversight Board (PCLOB). The WP29 requested these concerns to be prioritised and addressed prior to 25 May 2018, when the GDPR comes into force.
The WP29 further called for clear guidance on the Privacy Shield Principles, HR data and onward transfers, and increased supervision of compliance with the Privacy Shield principles. The US authorities are also requested to clearly distinguish the status of processors from that of controllers both at the time of their self-certification and at the time of further check. The WP29 demands these remaining issues to be resolved, at the latest, at the time of the next annual review of the Privacy Shield. If no remedies are brought to address the concerns raised by the WP29 within these time frames, the WP29 warned it will bring the Privacy Shield adequacy decision to the national courts for them to make a reference to the Court of Justice of the European Union (CJEU) for a preliminary ruling.
The WP29 split its review between the commercial aspects of the Privacy Shield, and on US government access to EU citizens’ personal data for Law Enforcement and National Security purposes and the legal remedies available to EU citizens.
The WP29’s concerns regarding the commercial aspects of the Privacy Shield include:
- HR data –Diverging interpretations of “HR data” exist between the US government on the one hand and the EC and WP29 on the other. It was always the expressed intention of the EC to grant extra protection to HR data and expand the powers of DPAs in order to appropriately protect these data under the Privacy Shield through the EU DPAs informal panel that can give binding advice to certified organisations and, as a last consequence, refer the case to the FTC or ask the DoC to remove the organisation not complying with such binding advice from the Privacy Shield list. The WP29 regards “HR data” as any personal data concerning an employee in the context of an employer-employee relationship. However, it has emerged that in the DoC’s view, only the processing of data of employees within the same company falls within the category of “HR data” under the Privacy Shield and benefits from additional safeguards. As a consequence, processing of data of an EU company’s employees after being transferred to a Privacy Shield certified processor within the US are not considered HR data but commercial data. This has a direct impact on the type of dispute resolution mechanism available, as in such case the panel of EU DPAs would not be competent. The WP29 urged the EC to address and clarify this issue.
- Lack of oversight and supervision of compliance with Privacy Shield Principles –The US authorities need to devote sufficient resources to enforcement of, and compliance with, the Privacy Shield framework after the actual certification / recertification procedure. Suggestions made by the WP29 include: conducting periodic compliance checks; initiating investigations; using compliance questionnaires, and reviewing privacy policies and contracts concerning onward transfers.
- Application of Privacy Shield to US-established processors – The US authorities need to issue guidance on the situation of processors, and the distinction between processors and controllers. The WP29 claims that several obligations included in the Privacy Shield’s Principles are not suitable for processors, as it is always the data controller that determines the purposes and means of the processing of the data. The processor has no autonomy with respect to the processing of data, for example, the processor may not be authorised by the controller within the EU to onward transfer the data or only after the authorisation of the controller within the EU. A processor would also not be able to provide individuals with full notice as intended by the Notice principle, for example because this organisation does not determine the purposes of the processing. U.S. organisations receiving data for mere processing purposes should also not be able to decide to process the data for their own purposes in order to respect the principle of purpose limitation.
- Automated-decision making / Profiling – There is a lack of guarantees in the Privacy Shield for automated decisions which produce legal effects or significantly affect the individual. The WP29 calls upon the EC to contemplate the possibility to provide for specific rules concerning automated decision-making to provide sufficient safeguards for individuals, including the right to know the logic involved and to request reconsideration on a non-automated basis.
- Self-certification process and cooperation – Inconsistencies exist between the true status of an organisation’s certification on the Privacy Shield website as opposed to the status indicated on an organisation’s website. The WP29 strongly suggests that the US authorities adopt a proactive approach to monitoring false claims made by organisations in regard to their certification status.
The WP29 expressed the following concerns relating to US government access to EU citizens’ personal data for law enforcement and national security purposes:
- Collection of data – Material evidence or legally binding commitments are required from the US authorities to support their assertions that the collection of data under section 702 of Foreign Intelligence Surveillance Act 1978 (as amended) is not indiscriminate, and access to EU citizens’ personal data is not conducted on a generalised basis.
- Oversight – The PCLOB needs to fill vacant positions, issue an updated report on Section 702, and declassify their report on the Presidential Policy Directive 28.
- Judicial redress – US statutes provide EU individuals with limited grounds to challenge surveillance by US law enforcement authorities. In light of the evolving case law (such as Schrems II), the WP29 will continue to monitor the effectiveness of the judicial redress before the US judiciary.
- Ombudsperson – Based on the limited information available, the WP29 did not affirm the effectiveness of the Ombudsperson mechanism and sought the applicable powers and procedures of the Ombudsperson to be declassified and shared.
First Annual Review by the EC
The WP29 review follows on from the recommendations by the EC in its first annual review of the Privacy Shield which included:
- The US Department of Commerce should be more proactive in monitoring companies’ compliance with their Privacy Shield obligations.
- The US Department of Commerce should conduct regular searches to identify companies making false claims about their participation in the Privacy Shield.
- Companies should not be allowed to publicly announce that they are Privacy Shield-certified until the Department of Commerce has finalised their certification.
- The US should swiftly appoint an independent Ombudsperson.
- The EU Data Protection Authorities and the US Department of Commerce need to raise individuals’ awareness about how to exercise their rights under the Privacy Shield, in particular how to lodge complaints.
EU Court’s review of the Privacy Shield
The EU General Court will be considering the validity of the Privacy Shield in the near future, as a number of French privacy advocacy groups have challenged the EC’s decision that the Privacy Shield provides adequate protection for the transatlantic transfer of personal data. The General Court of the EU in Digital Rights Ireland (DRI) v European Commission, recently dismissed as inadmissible the action by DRI for annulment of the Privacy Shield. The EU Court found that DRI did not have standing to bring the challenge in its own name, as it is a legal person and its official title does not identify any natural person. There is no protection of personal data under the Data Protection Directive 95/46/EC for legal persons. In addition, EU case law shows that legal persons can only claim the protection of personal data guaranteed by Article 8 of the Charter of Fundamental Rights insofar as the official title of the legal person identifies one or more natural persons. Nor could DRI bring an annulment claim in the name of its members, supporters or the general public.
In light of DRI’s unsuccessful challenge , and the EC’s recent official approval of the Privacy Shield in its first annual report, the Privacy Shield remains a valid legal mechanism for EU-US data transfers. These developments should provide a measure of comfort to companies on both sides of the Atlantic who rely on the Privacy Shield to transfer personal data. However, the pressure is on the US authorities and the EC to take action to address the WP29’s concerns as soon as possible.