‘Can Do Better’: Article 29 Working Party View on Privacy Shield

April 12, 2016

The Article 29 Working Party held a press conference on 13 April in which the Working Party Chair indicated that the documents detailing the newly negotiated Privacy Shield did not provide adequate protection. The focus of criticism included the reservations about the independence of the US ‘Ombudsman’, the continued possibility for mass and indiscriminate surveillance and a lack of specificity in certain areas.

The Article 29 Working Party has now released a detailed statement summarising its criticisms (set out in full below). The full Opinion can be accessed here. Those seeking a further insight into the thinking of the Working Party might be advised to consult the ‘Working Paper on the justification of interferences with the fundamental rights to privacy and data protection through surveillance measures when transferring personal data (European Essential Guarantees)’ which was also published on 13 April as an adjunct to the Privacy Shield Opinion; it can be accessed here..

Following the publication by the European Commission of the draft adequacy decision on the EU-U.S. Privacy Shield and related documents, the Article 29 Working Party has conducted its assessment in light of the applicable EU data protection legal framework as set out in Directive 95/46/EC, as well as the fundamental rights to private life and data protection as enshrined in Article 8 of the European Convention on Human Rights and Articles 7 and 8 of the Charter of Fundamental rights of the European Union.

The objective of the Working Party is to make sure that an essentially equivalent level of protection is maintained when personal data is processed subject to the provisions of the Privacy Shield.

Overall, the Working Party welcomes the significant improvements brought by the Privacy Shield compared to the Safe Harbour decision. In particular, the insertion of key definitions, the mechanisms set up to ensure the oversight of the Privacy Shield list and the now mandatory external and internal reviews of compliance are a positive step forward.

However, the Working Party has strong concerns on both the commercial aspects and the access by public authorities to data transferred under the Privacy Shield.

As a preliminary remark, the WP29 regrets that the Privacy Shield is constituted by a various set of documents and that therefore, the principles and guarantees afforded by the Privacy Shield are set out in both the adequacy decision and in its annexes making the information both difficult to find, and at times, inconsistent. This contributes to an overall lack of clarity.

Then, the Working Party recalls that the Privacy Shield adopted on the basis of Directive 95/46/EC needs to be consistent with the EU data protection legal framework, both in scope and terminology. In this regard, a review of the text of the Privacy Shield will have to take place after the entry into application of the General Data Protection Regulation in the course of 2018, in order to ensure the higher level of data protection offered by the Regulation is followed in the Privacy Shield.

Concerning the commercial aspects, the WP29 first of all considers that some key data protection principles as outlined in European law are not reflected in the draft adequacy decision and the annexes, or have been inadequately substituted by alternative notions. In particular, the application of the purpose limitation principle to the data processing is unclear. The Working Party is also concerned that the data retention principle is not expressly mentioned and cannot be clearly construed from the current wording of the text. Furthermore, 2 there is no specific wording on the protection that should be afforded against automated individual decisions based solely on automated processing.

Because the Privacy Shield will also be used to transfer data outside the US, the WP29 insists that onward transfers from a Privacy Shield entity to third country recipients should provide the same level of protection on all aspects of the Shield (including national security) and should not lead to lower or circumvent EU data protection principles.

Besides, although the Working Party notes the additional recourses made available to individuals to exercise their rights, it is concerned that the new redress mechanism in practice may prove to be too complex, difficult to use for EU individuals, especially in a different language, and therefore ineffective. Further clarification of the various recourse procedures are therefore needed; in particular, where they are willing, national EU data protection authorities could be considered as a natural contact point for the EU individuals in the various procedures, having the option to act on their behalf.

Concerning access by public authorities to data transferred under the Privacy Shield, the Working Party regrets that the representations of the U.S. Office of the Director of National Intelligence (ODNI) do not provide sufficient details in order to exclude massive and indiscriminate collection of personal data originating from the EU. The WP29 recalls its longstanding position that massive and indiscriminate surveillance of individuals can never be considered as proportionate and strictly necessary in a democratic society, as is required under the protection offered by the applicable fundamental rights. The WP29 takes note that there is a tendency to collect ever more data on a massive and indiscriminate scale in the light of the fight against terrorism. Given the concerns this brings for the protection of the fundamental rights to privacy and data protection, the WP29 looks to the forthcoming rulings of the CJEU in cases regarding massive and indiscriminate data collection.

 Furthermore, the Working Party welcomes the establishment of an Ombudsperson as a new redress mechanism. This may constitute a significant improvement for EU individuals’ rights with regards to U.S. intelligence activities. However, the WP29 is concerned that this new institution is not sufficiently independent and is not vested with adequate powers to effectively exercise its duty and does not guarantee a satisfactory remedy in case of disagreement.

As a conclusion, the Working Party notes the improvements the Privacy Shield offers compared to the invalidated Safe Harbour decision. But, given the concerns expressed and the clarifications asked, it urges the Commission to resolve these concerns and provide the requested clarifications in order to improve the draft adequacy decision and ensure the protection offered by the Privacy Shield is indeed essentially equivalent to that of the EU.

The upshot is that the Commission and the US authorities will need to revisit the deal. While the Working Party’s views could in theory be ignored, the reality is that no business could then rely on the Privacy Shield’s effectiveness throughout the EU thus making it almost useless as a ‘shield’. The indications are that it will be June or even September before any revision is in place.

Following the Working Party’s opinion, the next steps in the procedure before the adoption of the “adequacy-decision” by the European Commission will be the opinion of the Member States in comitology, in accordance with Article 31 of Directive 95/46/EC.

In advance of the publication of the full Opinion, SCL received some comment.

Eduardo Ustaran, London-based partner at Hogan Lovells, said:  

“This is such a sensitive issue in Europe that it’s perhaps unsurprising that the EU’s privacy regulators are still sitting on the fence. The Privacy Shield is crucial in bridging the gap between European and American approaches to privacy and it is therefore essential that it can be relied upon with complete certainty. 

“This prolongs the current uncertainty regarding the legality of transatlantic dataflows. However, it would be inconceivable for such flows to stop and I believe that the efforts of both the European Commission and the U.S. government should be given the benefit of the doubt. 

“The European Commission is likely to proceed with its decision to support the Privacy Shield despite the Working Party’s position.? Therefore companies should bear that in mind when deciding which mechanism to deploy to ensure that their data is protected no matter where it is in the world.” 

Julie Brill, former commissioner for the US Federal Trade Commission who was instrumental in the privacy shield negotiations, and current partner and co-leader of the global privacy and cybersecurity practice at Hogan Lovells, believes the agreement is good enough: 

“I appreciate the hard work of the WP29 on its in-depth examination of the issues surrounding Privacy Shield.  We should all examine carefully the WP29 opinion and determine whether there are points that can be clarified quickly.  However, I encourage all stakeholders to not let the perfect stand in the way of something very, very good”, she said. “I believe Privacy Shield should be approved quickly and we should all move forward to implementation, to ensure consumers are well protected and to provide certainty for businesses.”