On April 13, 2016, the Article 29 Working Party, which is a group composed of representatives of the national data protection authorities in Europe (“WP29”), published its opinion (“Opinion”) on the EU–U.S. Privacy Shield. The Privacy Shield is the alternative framework for transatlantic data flows recently agreed to by the EU and the U.S. to fill the void left by the invalidation of the Safe Harbor regime late last year. The WP29 review focused on the commercial aspects as well as the national security, law enforcement and public interest aspects of the Privacy Shield. While noting there were significant improvements to the Safe Harbor brought about by the Privacy Shield, the view seems to be that the Privacy Shield falls short on several counts. These criticisms call into question the viability of the Privacy Shield moving forward.
The Opinion highlighted several significant shortcomings to the Privacy Shield framework in the WP29’s eyes. As an initial matter, the WP29 noted that the structure of the Privacy Shield documentation made information difficult to find and inconsistent at times. The WP29 bemoaned the general lack of clarity and suggested that clear definitions should be agreed upon by the EU and U.S. and set forth in a glossary of terms.
In terms of the commercial aspects of the proposal, the WP29 believed the Privacy Shield did not adequately reflect certain data protection principles outlined in European law. For example, the WP29 found the Privacy Shield to be lacking with regard to data retention limits, limits on the use of data only for the purposes for which it is collected, and protections afforded against individual decisions based solely on automated processing (e.g., automated decisions regarding performance at work, creditworthiness, reliability, conduct, etc.). The WP29 also expressed general concerns that the redress mechanisms offered to individuals (see Remedies for EU Data Subjects), thought to be a key improvement to the Safe Harbor, may be ineffective due to their complexity and difficulty to use.
The WP29 also found weaknesses with respect to the national security, law enforcement and public interest provisions of the Privacy Shield. It noted that the Privacy Shield did not effectively exclude massive and indiscriminate collection of personal data from EU individuals. And the WP29 was concerned that the establishment of an Ombudsperson as an avenue for redress for U.S. intelligence activities was insufficient given that the institution was not sufficiently independent or vested with adequate authority. In short, concerns over U.S. government snooping remain.
Of note, the WP29 specifically pointed out that the Privacy Shield was the first key proposal by the European Commission (“Commission”) drafted since the General Data Protection Regulation (“GDPR”) was agreed to in principle, but lacked many of the improved protections offered therein. The WP29 recommended that the Privacy Shield be reviewed shortly after the GDPR enters application, which has become particularly relevant given the subsequent approval of the GDPR by the European Parliament on April 14, 2016. This could be the start of an emerging trend that all decisions coming from the EU relating to privacy should be aligned with the principles of the GDPR, notwithstanding that it will not be binding law for another two years.
The Privacy Shield still must be formally adopted by the Commission. The WP29 is merely an advisory body, set up under the 1995 EU Data Protection Directive, and the Commission is not required to follow its advice. However, its membership is composed of representatives from the member states of the Commission, and its opinions carry significant weight. Accordingly, the Opinion may cause concern within the Commission and may lead to questions as to whether it will formally adopt the Privacy Shield.
In short, we are in a state of uncertainty. We will need to wait to see how the Commission responds to this. A fine balancing act needs to be struck between approving something that is much needed by the market, both politically and economically, and approving something that will stand at least some chance of being upheld in the EU courts when challenged by the likes of Max Schrems, which will inevitably happen. In any event, data controllers and data processors should continue to evaluate and implement other measures to ensure lawful transfers of EU individuals’ data to the United States. These measures include the standard contractual clauses and binding corporate rules permitted by the current legal framework.