Article 29 Working Party raises significant concerns following its review of the Privacy Shield and threatens legal action should concerns not be addressed.
The Article 29 Working Party (A29WP) has published its thoughts on the effectiveness and value of the EU-US Privacy Shield. The data protection watchdog, made up of a representative of the Data Protection Authority of each EU member state, has very clearly warned that, should appropriate action not be taken to address the "significant concerns” identified by the European Commission by the time of the Privacy Shield's next official review, it will commence a legal challenge against the Privacy Shield’s adequacy decision.
What is the Privacy Shield?
The Privacy Shield is a framework which governs and legitimises transatlantic data flows between the EU and the US. The framework was agreed following the invalidity ruling of its predecessor (Safe Harbour), yet privacy campaigners still argue that the Privacy Shield does not provide sufficient protection to the rights and freedoms of EU citizens.
Reporting on the Privacy Shield
The European Commission recently completed its first official review of the implementation and effectiveness of the Privacy Shield and considered that the Privacy Shield provided an "adequate" level of protection for personal data. However, A29WP has now published its own report which complements the “efforts” made by US authorities but also, details its lengthy list of required improvements.
What did the A29WP review say?
The review was split into two sections: commercial aspects of the Privacy Shield and the derogations allowing Law Enforcement and National Security to access personal data.
1. Commercial aspects
A29WP concluded that more guidance on the commercial aspects of the Privacy Shield is required. The Working Party identified a lack of clear information in respect of the principles of the Privacy Shield, handling of HR data and automated decision making/profiling.
The Working Party also recommended:
- distinguishing the status of data processors from that of data controllers
- increasing oversight and supervision of compliance with the principles of the Privacy Shield by US authorities
- enhancing the self-certification process to ensure uninterrupted protection for data subjects.
2. Law Enforcement and National Security
With regards to Law Enforcement and National Security, A29WP’s main concerns relate to the collection of data, to oversight, to judicial redress and finally to the supervision mechanisms.
In particular, A29WP called for a more detailed analysis of the:
- policies and procedures which determine how data is collected for national security purposes (e.g. programs such as PRISM and UPSTREAM), as no material evidence has been provided to demonstrate that such methods for collecting data are as tailored as possible
- comprehensive oversight of all surveillance programs, highlighting the pressing need to fill the job vacancies which will assist with such oversight
- availability of redress for EU individuals, noting that EU cases in respect of surveillance matters are pending
- effectiveness of the Supervisory’s powers and remedies (when appointed), given the lack of availability of judicial review of its decisions.
What action does A29WP want?
A29WP invites the European Commission to restart discussions and immediately develop an action plan. It expects that its serious concerns are addressed by 25 May 2018, when the GDPR comes into force, and that the remaining concerns are addressed at the latest by the time of the second European Commission review.
Should A29WP’s concerns fail to be resolved, it will seek a preliminary ruling from the CJEU regarding the Privacy Shield’s adequacy decision with the intention of the Privacy Shield being declared invalid.
A29WP is not the first group to cite concerns about the Privacy Shield; privacy campaigners have already initiated legal proceedings (although these are facing difficulty due to issues with legal standing). Members of the European Parliament have also raised numerous concerns noting in particular US bulk surveillance powers and transatlantic inconsistencies in interpretation of the framework and data protection law.
A29WP’s review is not directly enforceable and, with the impending GDPR deadline the attention of both the European Commission and the Working Party is likely to be focussed elsewhere, it may be that the adequacy of the politically-delicate Privacy Shield is not dealt with immediately.
Practically, while A29WP has threatened a CJEU referral, such a procedure will take time to work through the administration. It could be years before a response is received from the CJEU and by then, the Privacy Shield will have endured further European Commission reviews.