During the week of 18 September 2017, the European Commission and the Article 29 Working Party (“WP29”) will undertake the first annual review of the EU-U.S. Privacy Shield (“Privacy Shield”). The meetings will take place in the United States. As for the U.S. side, the U.S. Department of Commerce will conduct the review, and it is likely that, among others, the U.S. Department of State and the U.S. Department of Justice will participate.

The EU-U.S. Privacy Shield mechanism

EU organisations that want to transfer personal data to recipients outside the EU/EEA must assess whether the recipient country ensures an adequate level of data protection. On 6 October 2015, the European Court of Justice (“CJEU”) invalidated the “Safe Harbour” decision by the European Commission, the predecessor to the Privacy Shield, in its Schrems v Data Protection Commissioner (Ireland) judgment (“Schrems Judgment”). By decision of 12 July 2016, the European Commission adopted a new transfer mechanism: the EU-U.S. Privacy Shield (“Adequacy Decision”).

Certified organisations

On a voluntarily basis, U.S. organisations can register for a self-certification to the U.S. Department of Commerce, and publicly assure to comply with the requirements under the Privacy Shield. A list of the certified organisations can be found here.

While about 5,500 organisations had signed up to Safe Harbour, about 2,500 organisations, including many large organisations, have already self-certified to the Privacy Shield in its first year. Apart from that, organisations still consider EU Model Clauses, as well as Binding Corporate Rules, as a good alternative to the Privacy Shield.

The upcoming review

As the Privacy Shield is a living mechanism, it is subject to continuous reviews to check whether it is functioning effectively and providing sufficient safeguards.

In the last months, the Privacy Shield was subject to considerable public attention: Both EU and U.S. organisations, EU policy committees, and non-government organisations argued that the Privacy Shield was an improvement over its predecessor. However, the Privacy Shield was also met with resistance within the EU.

The EU Parliament’s LIBE Committee stressed in a resolution, law enforcement issues, and deplored the fact that the Privacy Shield does not prohibit the collection of bulk data for law enforcement purposes.

In preparation for the Privacy Shield annual review, WP29 released a statement that includes its views and recommendations. WP29 wants to tackle the following issues during the annual review:

  • The collection of the relevant information and necessary evidence to assess the robustness of the Privacy Shield
  • Legal guarantees regarding automated decision-making
  • Guidance of the U.S. Department of Commerce regarding the application of the Privacy Shield principles to organisations acting as agents or processors
  • Clarifications, including the definition of human resources data
  • Evidence to show that bulk collection, when it exists, is limited and proportionate
  • Nomination of the four missing members of the Privacy and Civil Liberties Oversight Board
  • Appointment of the ombudsperson and the procedures governing the ombudsperson mechanism

Further, the European Commission sent questionnaires to trade associations and other organisations, seeking to gather information on policies, procedures and other measures that organisations implement to comply with their Privacy Shield obligations. The responses will be used to inform the reviewing parties of the functioning, implementation and supervision of the Privacy Shield.

The upcoming review is expected to address the before-mentioned concerns. Law enforcement and national security issues likely will be key topics. In case the review shows that the Privacy Shield cannot guarantee an adequate level of data protection, the European Union may suspend its Adequacy Decision.

Privacy Shield being challenged in court

The Privacy Shield currently faces two legal challenges in the European Court of First Instance, the General Court. The actions were brought by the Irish privacy advocacy group Digital Rights (case T-670/16) and French privacy groups (case T-738/16). They argue that the Privacy Shield does not comply with the EU Data Protection Directive, the Charter of Fundamental Rights of the EU, and the Schrems Judgment. However, both challenges face the risk of being declared inadmissible if the court finds that the applicants are not directly concerned.

Implications of Brexit

As a consequence of Brexit, the UK will be considered a third country from an EU perspective. The House of Lords EU Home Affairs Sub-Committee recently issued a report on data protection after Brexit (see our previous blog here). According to the report, the UK Government aims to guarantee “unhindered” and “uninterrupted” EU-UK data flows, but it would be too early to determine what the future arrangement might look like. In terms of UK-U.S. data transfers, the report suggests the Swiss model as a possible solution for the UK.

Comment

The upcoming review of the Privacy Shield will be followed by a report of the European Commission. WP29 announced that it may also present a separate public report.

The findings will be of interest to organisations that operate on the basis of the Privacy Shield, since the review seeks to ensure that the Privacy Shield will continue to provide for a valid transfer mechanism. It remains to be seen how long the Privacy Shield will be a valid transfer mechanism for international data transfers. Remarkably, EU Data Protection Supervisor Giovanni Buttarelli recently stated that the Privacy Shield should be only a temporary solution. Because of the stricter data protection requirements of the upcoming General Data Protection Regulation, Buttarelli calls for a “more robust” instrument.