The EU and U.S. competent authorities have one year to implement the recommendations that the Article 29 Working Party (WP29, which is a gathering of all EU national data protection authorities) made in its opinion of November 28, 2017 to increase the level of personal data protection provided by the Privacy Shield framework. As they announced in this opinion, failure to do so will result in these authorities challenging the validity of the Privacy Shield adequacy decision before courts. Such a cancellation could lead to certified U.S. companies losing their certification (2,400 companies, including web giants and major cloud providers), having to freeze data flows and implementing other legal mechanisms allowing them to import personal data from the EU.
It should be noted that the EU and U.S. authorities negotiated the Privacy Shield under a perspective that was more in line with Directive 95/46 (the main data protection applicable instrument at the time of negotiation) than with the General Data Protection Regulation (GDPR). The GDPR will repeal this Directive and increase the level of protection of personal data from May 25, 2018, and the WP29 will plan to prepare businesses for it.
In its report, the WP29 focuses on guarantees of enforcement and efficiency.
The commercial aspects:
The WP29 recommends, among others:
- Providing more guidance and information on the principles of the Privacy Shield, on transfers and on the rights and available recourse and remedies for data subjects;
- Increasing oversight and supervision of compliance through ex-officio investigations and continuous monitoring of certified companies;
- Distinguishing the status of data processors from that of data controllers;
- Avoiding exceptions for HR data processing;
- Increasing the level of protection against automated-decision based on data profiling.
The issue of public authorities access:
The WP29 calls for, among others:
- Further evidence to substantiate the assertions that the data collection under Section 702 of FISA is not indiscriminate;
- Preparation by the Privacy and Civil Liberties Oversight Board (PCLOB) of an updated report further assessing the necessity and proportionality of the definition of “targets” and of the tasking of selectors under section 702, as well as the concrete process of application of selectors in the context of the UPSTREAM program to clarify whether massive access to data occurs in this context;
- Provision by the PCLOB of information on the concrete operation of the Executive Order 12 333 and on its necessity and proportionality;
- Guarantee of redress by EU citizens before U.S. courts; and
- Appointment, “as soon as possible“, of the Ombudsperson, with a clarification of its power through the declassification of internal procedures.
Method and timeline
According to the WP29, the European Commission and the U.S. authorities should first restart discussions and take the following steps:
- “Immediately” set up an action plan in order to demonstrate that all these concerns will be addressed;
- Prioritize and resolve the following issues by the entry into application of the GDPR:
- Appointment of the independent Ombudsperson;
- Explanation of rules of procedure, including by declassification; and
- Address other concerns before the next annual review.
The WP29 is one of the most influential voices in data protection in the EU. Therefore, relying only on a Privacy Shield certification to export or import data in the U.S. could be a dangerous bet. Additionally, or alternatively, prudence would require implementing another appropriate safeguard, such as Binding Corporate Rules, Certification (when available), adherence to approved Codes of Conduct (when available) or Contractual Clauses.