Privacy Shield Review: A Warning Shot?

June 12, 2017

On 13 June the Article 29 Working Party published a press release
(set out in full below), which ostensibly sets out its preparations for the
annual joint review of the Privacy Shield. Since this is the first such review,
it is inevitably unprecedented for the Working Party to set out its concerns
in this way but the tone of the press release suggest that the level of concern
with the Privacy Shield is mounting and very real. There must be a real chance
that, even discounting the latest Schrems challenge, the Privacy Shield will
perish. The implications for a post-Brexit adequacy decision for the UK are
obvious.

The Working Party refers to various aspects of its
investigation of continued adequacy and states that it ‘has questions
concerning, among others, the existence of legal guarantees regarding automated
decision making or the existence of any guidance made available by the DOC
regarding the application of the Privacy Shield principles to organisations
acting as agents/processors’. This seems anodyne but what follows seems less
so:

‘Regarding the law enforcement and national security part,
the WP 29 has questions relating in particular to the latest developments of US
law and jurisprudence in the field of privacy. The WP29 also seeks, inter alia,
precise evidence to show that bulk collection, when it exists, is “as tailored
as feasible”, limited and proportionate. In addition, the WP29 stresses the
need to obtain information concerning the nomination of the four missing
members of the PCLOB as well as on the appointment of the Ombudsperson and the
procedures governing the Ombudsperson mechanism, as they are key elements of
the oversight architecture of the Privacy Shield.’

And the Working Party does not seem inclined to let matters
slide on the basis of Commission reassurances:

‘The WP29 expects it will be given the opportunity to provide
comments on the Commission’s report before the report is finalized.
Nevertheless, subject to the outcome of the Joint Review and the report of the
Commission, the WP29 reserves the right to publish its own report, based on the
findings of the review team of the Working Party.’

Perhaps the ‘warning shot’ title for this update is an
over-reaction. Read the press release and make up your own mind.

Press release in full

Preparation of the Privacy Shield annual Joint Review

On 12 July 2016, the European Commission adopted the EU-U.S.
Privacy Shield adequacy decision. After assessing the case law of the CJEU and
the ECtHR, the relevant US law, as well as the draft and final adequacy
decisions, the Art. 29 Working Party (WP29) issued several opinions and
stressed that its concerns would have to be addressed within the framework of
the annual EU/US Joint Review of the Privacy Shield. The first joint annual
review will be therefore a key moment for the WP 29 to assess the robustness
and effectiveness of the Privacy Shield mechanism.

According to the adequacy decision, the Commission will
undertake this Review, which will take place in September in the US. The
participation in the meetings will be open for EU DPAs of the Article 29
Working Party. At the eve of this first Joint Review, the WP29 has been
intensively preparing this exercise, both with respect to the substance and to
the operational dimension of the Review. In particular, it has adopted a letter
to be sent to the European Commission to share its views and recommendations.

In this letter, the WP 29 recalls that the mission to the US
will be a fact-finding mission in order to collect the relevant information and
necessary evidence to assess the robustness of the Privacy Shield. To ensure
that the US authorities are able to constructively answer concerns on the
concrete enforcement of the Privacy Shield decision, the WP29 will communicate
to the Commission the information and clarification it is seeking on the
commercial part as well as concerning the law enforcement and national security
access, in line with the points raised in previous WP29 opinions.

As for the commercial part, the WP29 has questions
concerning, among others, the existence of legal guarantees regarding automated
decision making or the existence of any guidance made available by the DOC
regarding the application of the Privacy Shield principles to organisations
acting as agents/processors. Clarifications that will be sought also include
the definition of human resources data.

Regarding the law enforcement and national security part,
the WP 29 has questions relating in particular to the latest developments of US
law and jurisprudence in the field of privacy. The WP29 also seeks, inter alia,
precise evidence to show that bulk collection, when it exists, is “as tailored
as feasible”, limited and proportionate. In addition, the WP29 stresses the
need to obtain information concerning the nomination of the four missing
members of the PCLOB as well as on the appointment of the Ombudsperson and the
procedures governing the Ombudsperson mechanism, as they are key elements of
the oversight architecture of the Privacy Shield.

Naturally, these questions are without prejudice to any
other additional questions that may appear necessary in the course of the
preparation of the Joint Review or of the Joint Review itself.

As regards the representatives of the data protection
authorities participating to the Joint Review, the Working Party 29 has
designated 8 participants to be part of the Review team, Commissioners as well
as experts at staff level. In its view, in order to allow for sufficient time
to conduct an assessment, the WP 29 considers that the Review in the US should
last at least 2-3 days.

The WP29 has also suggested a list of US authorities which
should be part of the Joint Review, for the commercial part as well as for the
law enforcement and national security part. It also considers having contacts
with representatives of the civil society stakeholders in the EU and in the US.

The WP29 expects it will be given the opportunity to provide
comments on the Commission’s report before the report is finalized.
Nevertheless, subject to the outcome of the Joint Review and the report of the
Commission, the WP29 reserves the right to publish its own report, based on the
findings of the review team of the Working Party.