EU Data Protection Authorities met in Brussels last week to deliver their eagerly anticipated opinion on the proposed EU-US Privacy Shield. They set out significant criticisms of the current proposals, dealing a blow to those who had hoped that the difficulties affecting trans-Atlantic data transfers would be resolved quickly.
On 6 October 2015, the European Court of Justice ("ECJ") issued a decision that effectively invalidated the US-EU Safe Harbor (which had provided a lawful means of transferring personal data from the EU to the US). Following the ECJ's decision, there was significant uncertainty as to whether a replacement mechanism could be agreed and, if so, how it would work.
On 2 February 2016, the European Commission (the "Commission") announced an agreement with the US government on a new transatlantic data transfer mechanism intended to replace Safe Harbor: the "Privacy Shield". Since its announcement and the release of full details, there have been areas of significant disagreement between the Commission, the European Parliament, privacy activists and businesses over the proposals for the Privacy Shield.
EU Data Protection Authorities, which collectively meet as the Article 29 Working Party ("WP29"), have been reviewing the Commission's proposals on the Privacy Shield and have now released their opinion.
"Significant improvements" welcomed by the WP29
Overall, the WP29 welcomed a number of improvements that the Privacy Shield would bring in comparison to Safe Harbor. The WP29 acknowledged that many of the shortcomings of Safe Harbour that it had previously identified have been addressed in the Privacy Shield proposals. In particular, the WP29 noted that the insertion of key definitions, the increased transparency around access to transferred data, the creation of new oversight mechanisms, and the mandatory external and internal reviews of compliance, are all positive steps.
"Strong concerns" remain
Despite the progress noted above, the WP29 expressed strong concerns about commercial aspects of the Privacy Shield, and about the access by US authorities to data transferred under the Privacy Shield.
Regarding the commercial aspects of the Privacy Shield, the WP29 found that:
- the Data Retention Principle (which limits the ability of organisations to store personal data beyond the period necessary for their original purpose) is not sufficiently addressed in the Privacy Shield;
- EU citizens are not afforded sufficient protections against automated decisions that significantly affect them and that are based solely on automated processing;
- the Purpose Limitation Principle (which limits the ability of organisations to use personal data for purposes other than their original intended purpose) is not sufficiently clearly set out in the proposals;
- there are insufficient restrictions on the ability of US organisations that receive personal data under the Privacy Shield to transfer those data onward to third parties; and
- the new redress mechanism (which is designed to give EU citizens the power to enforce their rights against US organisations that process their personal data) may prove too complex and difficult to use, and may therefore be ineffective.
Regarding access by US authorities under the Privacy Shield, the WP29 found that:
- the representations of the US Office of the Director of National Intelligence do not rule out the possibility of large-scale, indiscriminate collection of personal data originating from the EU. The WP29's long-held view is that this approach to surveillance of individuals can never be considered proportionate and necessary in a democratic society; and
- the WP29 is concerned that the new Ombudsperson proposed under the Privacy Shield will not be sufficiently independent, will not have adequate powers, and does not guarantee a satisfactory remedy that will protect EU citizens.
The WP29 has urged the Commission to identify appropriate solutions to these concerns, and address the identified areas of uncertainty, in order to ensure the protection offered by the Privacy Shield is sufficient to satisfy the requirements of EU data protection law.
Impact on the proposed timeline and wider context
The WP29's opinion is non-binding, but it is influential because the EU Data Protection Authorities that make up the WP29 can suspend data transfers they are concerned about. Given the number of concerns raised by the WP29, there appears to be a significant risk that the opinion may derail the proposed timeline for implementation of the Privacy Shield. If the Commission pushes ahead with an adequacy decision this June regardless of the WP29's view, it is possible that the Privacy Shield might be challenged before the ECJ.
Meanwhile, the WP29 confirmed that until the Commission issues a formal adequacy decision on the Privacy Shield, EU Model Clauses and Binding Corporate Rules continue to provide a valid alternative transfer mechanism for the time being. The temporary nature of this assurance serves as a reminder that the resolution of the difficulties around the Privacy Shield may result in further, and potentially more significant, problems affecting these other transfer mechanisms.