Following two years of intense negotiations, in February 2016, the European Commission and United States governments unveiled the replacement to the U.S.-EU Safe Harbor Framework, the EU-U.S. Privacy Shield, to much fanfare and relief.
Prior to October 2015, U.S. companies that wanted to protect the data of EU citizens chose to comply with the requirements of the Safe Harbor. However, on Oct. 6, 2015, the Court of Justice of the European Union declared the Safe Harbor to be invalid, prompting frantic efforts to develop a replacement framework for transatlantic data transfers that would ensure that any transfer of personal information of EU citizens to U.S. companies would meet equivalent data protection standards to those standards that exist in the EU.
On Feb. 29, 2016, the European Commission released a draft adequacy decision and the legal texts that form the proposed Privacy Shield, including written assurances from the U.S. government to enforce the agreement and the so-called Privacy Shield Principles that will bind participating U.S. companies.
Unfortunately, certain pesky European privacy regulators appear to have thrown a monkey wrench into this process. The Article 29 Working Party, an influential committee of EU privacy regulators, recently conducted its own assessment of the Privacy Shield and on April 13 released a statement and opinion on it.
While lauding the “significant improvements” of the Privacy Shield compared to the Safe Harbor decision (including mechanisms to ensure oversight of the Privacy Shield and mandatory compliance reviews), the working party nonetheless expressed “strong concerns” about both the commercial aspects and the access by public authorities to data transferred under the Privacy Shield.
The key objections raised by the working party are as follows:
1. Overall lack of clarity. As the Privacy Shield consists of various sets of documents, the working party complained that the principles and guarantees are set out in the EU adequacy decision and in the annexes, making the information both difficult to find and, at times, inconsistent.
2. Missing data protection principles. The working party review also found that some key data protection principles contained in European law are not reflected in the draft adequacy decision and the annexes or have been inadequately substituted. These include the application of purpose limitation on data processing and data retention principles.
The working party also noted the absence of adequate language regarding data transfers outside the U.S. to third countries and confirmed that such transfers should still provide the same level of protections on all aspects of the Shield (including national security) and not lead to lower or the circumvention of EU data protection principles.
3. Complex redress mechanism. Under the proposed Privacy Shield, the U.S. will implement an ombudsperson mechanism through which the ombudsperson will handle complaints of EU individuals regarding unauthorized access of their personal information by national intelligence authorities.
While the working group noted that additional resources will be made available to individuals to exercise their rights, they are concerned that the new redress mechanisms are too complex for EU individuals in practice (especially given language differences) and will therefore be ineffective. The working party suggests instead that national EU data protection authorities (assuming they are willing) could serve as natural contact points for EU complainants, acting on their behalf.
4. Ongoing access by public authorities to data transferred under the Privacy Shield. Politely put, the working party is not convinced that the representations of the U.S. Office of the Director of National Intelligence provide sufficient details to forestall/exclude against the massive and indiscriminate collection by U.S. authorities of personal data originating from the EU, basically through spying/surveillance activities (the Privacy Shield itself does contain certain national security exemptions).
The working party commented that it is carefully monitoring a forthcoming ruling by the Court of Justice of the European Union on the validity of the United Kingdom’s Data Retention and Investigatory Powers Act, which requires telecommunications providers to collect and store customer communications data and disclose it to law enforcement under certain provisions and the proposed draft investigatory powers bill.
5. Lack of independence of the ombudsperson. While the working party liked the idea of the establishment of the U.S. ombudsperson to handle complaints, it still raised concerns that the new institution would not be sufficiently independent and is not vested with adequate powers to effectively exercise its duty.
The working party also noted the Privacy Shield will have to be reviewed after the adoption of the new General Data Protection Regulation in 2018 in order to ensure that the higher level of data protection offered by the regulation is followed in the Privacy Shield.
Given the gaps found, the working party urged the commission to resolve these concerns in order to improve the draft adequacy decision and ensure that the Privacy Shield offers equivalent protections to that of the EU.
The working party, which was set up under the 1995 directive on the protection of personal data, is purely advisory, and the European Commission is not obliged to follow its advice. However, as it consists of data protection authorities from EU member states, the European Data Protection Supervisor, and a representative from the European Commission, it nonetheless has heft and the commission and member states will face pressure to listen to the working party’s complaints.
Adding possible fuel to the fire will be another opinion that is coming from the so-called article 31 committee, consisting of representatives from the member states. That committee is expected to consider the Privacy Shield at upcoming meetings on April 29 and May 19 before issuing its opinion.
The commission will then have to determine whether it will try to amend the Privacy Shield to address the concerns raised by the working party and the article 31 committee, balancing against its desire to enact the Privacy Shield, ideally by June.
In the meantime, the binding corporate rules and model standard contractual clauses, the alternative legal tools that many companies adopted following the death of Safe Harbor for their U.S.-EU data transfers, remain valid and can continue to be used. Luckily, the working party has declined to comment on these mechanisms — for the time being.