On November 28, 2017, the EU’s Article 29 Working Party issued its report on the First Annual Joint Review of the EU-US Privacy Shield, which was conducted on September 18-19, 2017.
In this 38 page report, the WP analyzed the Privacy Shield’s commercial and government aspects (as it did in its earlier opinion, issued in April 2016 when the Privacy Shield was still a draft; see our earlier discussion of that opinion). While the WP acknowledged the progress of the Privacy Shield in comparison with the invalidated Safe Harbors, the WP still has “a number of significant concerns,” including:
- On the commercial aspects, the WP identified a number of unresolved issues, some as basic as the lack of guidance and clear information. The WP called for increased oversight and supervision of Privacy Shield compliance by the US authorities.
- On the government aspects, the WP called for the production of further evidence (or adoption of legally binding commitments) to substantiate the assertions by the US authorities that the collection of data under section 702 of Foreign Intelligence Surveillance Act is not indiscriminant and access is not conducted on a generalized basis under the UPSTREAM program.
The WP also called for the appointment of new members to the vacancies on the Privacy and Civil Liberties Oversight Board and the appointment of the Ombudsperson, seeking both as soon as possible. These appointments need to be resolved by 25 May 2018 (the date when GDPR will come into force). The WP expects its remaining concerns to be addressed by that date. If these concerns are not addressed by then, the EU’s national Data Protection Authorities will be free to take action against the Privacy Shield, including but not limited to challenging the adequacy of the Privacy Shield before their own national courts (which could then refer the case to the Court of Justice of the European Union).