On April 13, the Article 29 Data Protection Working Party announced a decision to reject the EU-US Privacy Shield agreement as drafted and requested changes based upon the following concerns, on which we provide some initial analysis.
- The Privacy Shield lacks clarity due to its format (the European Commission adequacy decision and the numerous annexes make it difficult to navigate). It also contains some inconsistencies.
- The Privacy Shield will need to be revisited after the General Data Protection Regulation comes into effect in 2018, most likely to further strengthen protections. This would be a major change in the text of the agreement.
- Commercial aspects of European law are not adequately reflected in the Privacy Shield including the protections of the purpose limitation, data retention, individual decisions on automatic data processing. This too would be a major change.
- Onward transfers from Privacy Shield entities will not be subject to consistent protections including on national security. As applied to transfers outside the US, this is not a major change in current EU standards.
- There should be clarification of the new recourse procedures available to European citizens including a possible role for EU data protection authorities. If limited to funneling complaints to the FTC, this would not be a major change.
- The Ombudsman established under the US State Department is not sufficiently independent and will not have adequate to authority to effectuate remedies. This could be addressed potentially by the Ombudsman in the FTC.
Significantly, the Statement emphasized that representations from the US Office of the Director of National Intelligence are inadequate with respect to “massive and indiscriminate surveillance of individuals” and consequently the Working Party will be looking to upcoming rulings by the EU Court of Justice on surveillance cases.
Although the Article 29 Working Party plays only an advisory role to the European Commission, we expect that the more specific recommendations in particular will be incorporated into the framework prior to final approval by EU authorities. Given European Summer holidays, this may not happen until September.