From the moment that the Chairman of the Article 29 Working Party, Isabelle Falque-Pierrotin, announced at a press conference on 3rd February this year that the Working Party would assess the standing of the EU-US Privacy Shield under EU law, privacy professionals have been waiting to see what the Working Party’s view would be. Earlier this week, on 13th April, the Working Party provided their initial opinion. On the one hand, the Working Party welcomed the significant improvements of the Privacy Shield as a positive step forward. Yet, on the other hand, the Working Party set out their strong concerns on the commercial aspects of the Privacy Shield and the ability for US public authorities to access data transferred under the Privacy Shield. The opinion concluded by urging the European Commission to resolve these concerns and improve the Privacy Shield.
The US and EU Governments have each devoted significant efforts to deliver a viable solution for EU-US data transfers since the demise of Safe Harbor last October. On 29th February, the European Commission published a draft adequacy decision and annexed texts constituting the new framework for transatlantic exchanges of personal data for commercial purposes. Hogan Lovells has carried out a detailed legal analysis of the Privacy Shield by reference to the jurisprudence of the Court of Justice of the European Union (CJEU). After considering at length the CJEU’s criteria, the content of the Privacy Shield framework and recent US legal reforms, we concluded that the Privacy Shield provides an ‘essentially equivalent’ level of protection for personal data.
The Working Party has chosen to be more cautious in its view. While being positive about the improvements that the Privacy Shield brings, the Working Party notes that the framework documentation suffers from inconsistency and a lack of clarity. Additionally, the Working Party considers that the Privacy Shield does not include certain key data protection principles from EU law. The Working Party also expresses concern about the protection for onward data transfers and that the redress mechanism for individuals could prove too complex. Finally the Working Party notes that the documentation does not exclude massive and indiscriminate collection of personal data originating from the EU by US intelligence agencies and that the new Ombudsperson is not sufficiently independent or powerful. In particular, the Working Party indicates that it will be guided by the forthcoming rulings of the CJEU regarding massive and indiscriminate data collection. One of these referrals concerns surveillance carried out by the UK’s GCHQ.
The concerns expressed by the Working Party underline how sensitive these issues are in Europe but the opinion is far from an outright rejection of the Privacy Shield. It is now for the European Commission to decide whether or not to respond to the urging of the Working Party and revisit the Privacy Shield, and it is quite possible that the Commission may proceed to finalise their draft adequacy decision in support of the Privacy Shield irrespective of the Working Party’s opinion. Although the Working Party has not provided unqualified approval, it is still reasonable for companies to decide to adhere to the Privacy Shield as a basis for their global privacy programme. In making a decision about how to proceed, companies should consider that even if the Commission goes ahead and, as planned, finalises the Privacy Shield this June, it is highly likely that the Privacy Shield will be subject to further challenges, in the CJEU or before EU data protection authorities.
Unfortunately, therefore, the period of uncertainty around data transfer mechanisms continues. Although Falque-Pierrotin confirmed at the press conference that alternative transfer mechanisms such as binding corporate rules and standard contractual clauses can still be used, she also indicated that the Working Party will not consider the validity of these alternative transfer mechanisms until after the Commission has produced the final version of the Privacy Shield. Consequently, these other mechanism will be subject to further scrutiny. The Working Party also indicated that it will review the Privacy Shield again after the General Data Protection Regulation applies from 2018 so that any approval from them now would be up for review in a further two years’ time.