Privacy Shield Review: A Warning Shot?

A press release from the Article 29 Working Party may amount to a warning about the long-term stability of the privacy shield.

On 13 June the Article 29 Working Party published a press release (set out in full below), which ostensibly sets out its preparations for the annual joint review of the Privacy Shield. Since this is the first such review, it is inevitably unprecedented for the Working Party to set out its concerns in this way but the tone of the press release suggest that the level of concern with the Privacy Shield is mounting and very real. There must be a real chance that, even discounting the latest Schrems challenge, the Privacy Shield will perish. The implications for a post-Brexit adequacy decision for the UK are obvious.

The Working Party refers to various aspects of its investigation of continued adequacy and states that it ‘has questions concerning, among others, the existence of legal guarantees regarding automated decision making or the existence of any guidance made available by the DOC regarding the application of the Privacy Shield principles to organisations acting as agents/processors’. This seems anodyne but what follows seems less so:

'Regarding the law enforcement and national security part, the WP 29 has questions relating in particular to the latest developments of US law and jurisprudence in the field of privacy. The WP29 also seeks, inter alia, precise evidence to show that bulk collection, when it exists, is “as tailored as feasible”, limited and proportionate. In addition, the WP29 stresses the need to obtain information concerning the nomination of the four missing members of the PCLOB as well as on the appointment of the Ombudsperson and the procedures governing the Ombudsperson mechanism, as they are key elements of the oversight architecture of the Privacy Shield.'

And the Working Party does not seem inclined to let matters slide on the basis of Commission reassurances:

'The WP29 expects it will be given the opportunity to provide comments on the Commission’s report before the report is finalized. Nevertheless, subject to the outcome of the Joint Review and the report of the Commission, the WP29 reserves the right to publish its own report, based on the findings of the review team of the Working Party.'

Perhaps the ‘warning shot’ title for this update is an over-reaction. Read the press release and make up your own mind.

Press release in full

Preparation of the Privacy Shield annual Joint Review

On 12 July 2016, the European Commission adopted the EU-U.S. Privacy Shield adequacy decision. After assessing the case law of the CJEU and the ECtHR, the relevant US law, as well as the draft and final adequacy decisions, the Art. 29 Working Party (WP29) issued several opinions and stressed that its concerns would have to be addressed within the framework of the annual EU/US Joint Review of the Privacy Shield. The first joint annual review will be therefore a key moment for the WP 29 to assess the robustness and effectiveness of the Privacy Shield mechanism.

According to the adequacy decision, the Commission will undertake this Review, which will take place in September in the US. The participation in the meetings will be open for EU DPAs of the Article 29 Working Party. At the eve of this first Joint Review, the WP29 has been intensively preparing this exercise, both with respect to the substance and to the operational dimension of the Review. In particular, it has adopted a letter to be sent to the European Commission to share its views and recommendations.

In this letter, the WP 29 recalls that the mission to the US will be a fact-finding mission in order to collect the relevant information and necessary evidence to assess the robustness of the Privacy Shield. To ensure that the US authorities are able to constructively answer concerns on the concrete enforcement of the Privacy Shield decision, the WP29 will communicate to the Commission the information and clarification it is seeking on the commercial part as well as concerning the law enforcement and national security access, in line with the points raised in previous WP29 opinions.

As for the commercial part, the WP29 has questions concerning, among others, the existence of legal guarantees regarding automated decision making or the existence of any guidance made available by the DOC regarding the application of the Privacy Shield principles to organisations acting as agents/processors. Clarifications that will be sought also include the definition of human resources data.

Regarding the law enforcement and national security part, the WP 29 has questions relating in particular to the latest developments of US law and jurisprudence in the field of privacy. The WP29 also seeks, inter alia, precise evidence to show that bulk collection, when it exists, is “as tailored as feasible”, limited and proportionate. In addition, the WP29 stresses the need to obtain information concerning the nomination of the four missing members of the PCLOB as well as on the appointment of the Ombudsperson and the procedures governing the Ombudsperson mechanism, as they are key elements of the oversight architecture of the Privacy Shield.

Naturally, these questions are without prejudice to any other additional questions that may appear necessary in the course of the preparation of the Joint Review or of the Joint Review itself.

As regards the representatives of the data protection authorities participating to the Joint Review, the Working Party 29 has designated 8 participants to be part of the Review team, Commissioners as well as experts at staff level. In its view, in order to allow for sufficient time to conduct an assessment, the WP 29 considers that the Review in the US should last at least 2-3 days.

The WP29 has also suggested a list of US authorities which should be part of the Joint Review, for the commercial part as well as for the law enforcement and national security part. It also considers having contacts with representatives of the civil society stakeholders in the EU and in the US.

The WP29 expects it will be given the opportunity to provide comments on the Commission’s report before the report is finalized. Nevertheless, subject to the outcome of the Joint Review and the report of the Commission, the WP29 reserves the right to publish its own report, based on the findings of the review team of the Working Party.

 

Published: 2017-06-13T16:30:00

    0 comments

      This site uses cookies. By using the site you agree to our use of cookies as set out in our Privacy Policy.

      Please wait...