After the invalidation of the Safe Harbor by the European Court of Justice (“ECJ”) last October in the Schrems case, negotiations between the European Commission and US authorities led to a new agreement called the EU-US Privacy Shield. However, the EU’s 1995 Data Protection Directive provides that the Article 29 Working Party (“WP29”) has to issue an opinion on this kind of agreements and it did so on April 13. It concluded that the proposed version of the Privacy Shield does not offer a protection essentially equivalent to that offered under EU law. WP29 noted “strong concerns” on both the commercial aspects and on access by public authorities.
On the commercial aspects, WP29 said the Privacy Shield:
- is not in line with the purpose limitation and data retention principles (data should not be stored longer than strictly necessary in accordance with the purpose for which the data subject gave his/her consent)
- says nothing about protection against decisions based solely on automated processing
- does not deal with onward transfers adequately; and
- has a redress mechanism that is too complex.
As regards access by public authorities, the Privacy Shield:
- does not exclude massive and indiscriminate collection of personal data originating from the EU; and
- has an Ombudsperson that is not sufficiently independent and not vested with adequate powers.
WP 29 urged the European Commission to resolve these concerns and improve the proposed scheme.
What will happen next?
The EU Privacy Directive states that a committee composed of representatives of all Member States must also issue an opinion on the Privacy Shield. The opinions of that Committee and of WP29 are non-binding, so the European Commission could still issue a favorable adequacy decision on the current version of the Privacy Shield. However, the ECJ also ruled in the Schrems case that national data protection authorities within the EU (“DPAs”) are not bound by the Commission’s adequacy decisions. Accordingly, there is little doubt that the Privacy Shield will be challenged in the ECJ if the Commission approved it.
We will see what the European Commission decides but Commissioner Jourova indicated that the Commission would work swiftly to include WP29’s recommendations and is still aiming at issuing a final adequacy decision in June.
In the meantime businesses may still use the other EU-U.S. transfer tools, mainly the European Commission Standard Contractual Clauses and Binding Corporate Rules, when data is shared within the same group. Failing to use these tools exposes a business to the risk of a national DPA initiating an enforcement action.