The EU-US Privacy Shield was effectively rejected by European data privacy agencies via the Article 29 Working Party (WP29). It stated that the arrangement, in its current form, is not clear or robust enough to gain its support. As previously reported (see here, here and here), the Privacy Shield was set to facilitate EU-US data flows following the Court of Justice of the European Union (CJEU) invalidating the Safe Harbor framework. However, the WP29 group of data privacy regulators have said that they are not in a position to confirm that the current draft adequacy decision ensures a level of protection equivalent to that in the EU.
Although the WP29 opinion on the Privacy Shield is not legally binding, it could lead to uncertainty regarding the future of EU-US data transfers. The group has said that more work needs to be done to clarify portions of the arrangement and that the main concerns emanating from the Privacy Shield are the continued potential for European citizens’ data to be harvested in bulk via mass US surveillance programs, and the independence of an ombudsperson who would be appointed in the US to assess data-related complaints from European citizens.
The lack of support shown by the WP29 towards the Privacy Shield is of major concern to companies currently engaging in trans-Atlantic data transfers, however, it will be up to the European Commission to decide whether or not to endorse the arrangement. As negotiations continue, the uncertainty around the future of the Privacy Shield will become clearer in the coming months.