Article 29 Working Party on the EU-US Privacy Shield:
The EU’s Article 29 Working Party analyzed the final version of the Privacy Shield and issued a statement on July 26, 2016. What does this mean?
- Recap: Where are we and how did we get here?
On February 29, 2016, the European Commission issued a draft adequacy decision reflecting the outcome of its negotiations with US authorities in relation to the Privacy Shield, which is designed to replace the invalidated Safe Harbor for personal data transferred from the EU to the US. The draft Shield was submitted to various bodies, including the Article 29 Working Party. The Working Party issued its opinion on April 13, 2016, expressed concerns and asked for various clarifications. Further discussions took place across the Atlantic and on July 12, 2016 the Commission formally adopted the adequacy decision.
- What did the Working Party say?
On July 26, 2016, the Working Party stated that, although its opinion had been taken into consideration, “a number of these concerns remain”. In its opinion about the draft, the Working Party had dealt separately with, on the one hand, the “commercial aspects”, i.e., collection of data by businesses and, on the other hand, access to data by US public authorities. In the statement on the final decision, the Working Party follows the same pattern.
As regards commercial aspects, the Working Party states that “it regrets, for instance, the lack of specific rules on automated decisions” (article 15 of the 95/46 EC Directive provides that decisions which produce legal effects concerning an individual or which significantly affects and individual should not be based solely on automated processing of data) and also the lack “of a general right to object. It also remains unclear how the Privacy Shield Principles shall apply to processors” (according to the Directive, the data processor is the person who processes data on behalf of the data controller).
As regards access by US public authorities, the Working Party stated that “it would have expected stricter guarantees concerning the independence and the powers of the Ombudsperson mechanism. Regarding bulk collection of personal data, the WP29 notes the commitment of the ODNI not to conduct mass and indiscriminate collection of personal data. Nevertheless, it regrets the lack of concrete assurances that such practice does not take place.” The Working Party also referred to the joint review mechanism set out in the Privacy Shield (the first review is expected to take place in May 2017) and stated that the DPAs would assess if the remaining issues have been solved and if the safeguards are workable and effective. Finally, the Working Party also talked about alternative transfer tools, Binding Corporate Rules and Standard Clauses and said that the results of the first joint review may also impact those.
- What is next?
US companies will be able to register with the US Department of Commerce as from August 1, 2016. They will be required to self-certify their adherence to the Privacy Shield Principles.
It is expected that most US companies which were previously Self Harbor certified will eventually get Privacy Shield certified, except maybe for a few companies which were compelled to switch to Binding Corporate Rules or Standard Contractual Clauses (see our Update on Enforcement action taken by DPAs). The Working Party will soon provide information to businesses (especially those which qualify as data controllers) about their obligations under the Shield and to citizens about their rights. It is clear that it wants to play a key role in the annual joint review of the Shield.
Finally, the Working party said in his Statement that “in the meantime [i.e., before the first annual joint review] … the DPAs […] commit themselves to proactively and independently assist the data subjects with exercising their rights under the Privacy Shield mechanism, in particular when dealing with complaints”. This is in line with the Schrems judgment in which the European Court of Justice held that an adequacy decision issued by the Commission “does not prevent a supervisory authority of a Member State…from examining the claim of a person…[who] contends that the law and practices in force in the third country [where the data has been transferred] does not ensure an adequate level of protection.” The Privacy Shield could therefore be challenged before national DPAs in the same way as the Safe Harbor was.
In other words, the message conveyed by the Working Party is: let’s wait and see how personal data is actually handled in the US.