Progress, but still some way to go: European regulators give their views on the Privacy Shield
Last Wednesday 13 April 2016, the European Union's Article 29 Working Party (WP29) published its opinion of the EU-US Privacy Shield, which is the proposed replacement for the now discredited Safe Harbor framework.
Like its predecessor, the Privacy Shield is designed to be a self-certification mechanism to enable firms in the US to import data from the European Union in compliance with EU data protection rules. For more background on the Privacy Shield, see our latest article The EU-US Privacy Shield: Where are we now?
The WP29 gives the Privacy Shield a generally mixed review. It recognises that the Privacy Shield is a significant improvement on the previous Safe Harbor framework and addresses many of the weaknesses of Safe Harbor. However, the WP29 remains sceptical about whether the Privacy Shield will offer an adequate level of protection to individuals' personal information.
The WP29 is an umbrella body composed of data protection regulators from each EU member state that advises the Commission on data protection matters including any proposed new measures designed to safeguard the rights and freedoms of persons with regard to the processing of personal data. Its opinion is not binding on the European Commission, but it is nevertheless very influential. This means that the concerns raised by the WP29 are likely to lead to changes in the Privacy Shield before the Commission's decision on adequacy is made.
The WP29 raised concerns on a number of specific areas:
- Not consistent with data protection principles:
- The data retention principle is not expressly mentioned;
- There is no wording on protection against automated individual decision-making; and
- It is not clear how the purpose limitation principle will be applied.
- Insufficient provisions relating to onward transfers from US entities who receive data: third country recipients of data should have to apply the same standards.
- Recourse mechanisms: there are new mechanisms for redress, but due to their complexity they may be ineffective in practice.
- The new Ombudsperson: the WP29 believes it will not have adequate powers to resolve EU citizens' complaints and will not be sufficiently independent of the US authorities.
- General inconsistency and lack of clarity: the complex structure of the documents in their current form makes them unclear and at times inconsistent with one another.
- US representations in relation to "Massive Collection" of data originating from the EU are insufficient: the WP29 believes that such surveillance can never be considered proportionate or necessary, so there must be provisions explaining how it will be curtailed.
- Inconsistency with the new General Data Protection Regulation: the Privacy Shield will need to be reviewed after the entry into application of the GDPR, which completed its legislative stage last week. The WP29 suggests that a specific clause should be inserted to trigger a review for this purpose, so that the higher levels of protection introduced from 2018 onwards under the GDPR are replicated by the scheme.
There is some light at the end of the tunnel, however. The WP29 repeatedly acknowledged that there were significant improvements on Safe Harbor, and there was no outright rejection of the Privacy Shield. Nevertheless, the WP29 has urged the Commission to resolve the concerns that it raised in order to ensure that the level of data protection would be essentially equivalent under Privacy Shield as in the EU but without requiring a slavish copying of the new GDPR.
The next stage will be for the European Commission and the US authorities to consider the concerns raised by the WP29 and, if necessary, make changes to the Privacy Shield before making an adequacy decision later in 2016. Watch this space for more information. The WP29 praised the urgency with which the Commission and the US dealt with the preparation of the Privacy Shield so it is hoped that an updated version will not be long in appearing.
If you have concerns about the legality of data transfers in your business, or would like advice on any aspect of data protection or information governance, please get in touch with our specialist data protection lawyers who would be happy to help.
We also offer a range of data protection training sessions. For more information or to book your place, click here.