Article.

Article 29 Working Party demands revisions to the Privacy Shield

26/04/2016

At a glance

On 13 April 2016, the Article 29 Working Party (the “WP29”), a group composed of representatives from the national data protection authorities in Europe, published its opinion on the EU/US Privacy Shield. The Privacy Shield is the proposed new framework governing data transfers from Europe to the United States (the previous framework, Safe Harbour, being declared “invalid” by the European Court of Justice in October 2015).

In detail

The WP29 welcomed the significant improvements brought by the Privacy Shield following the Safe Harbour decision, however it lamented the overall lack of clarity in the documentation and highlighted several shortcomings:

  • The Privacy Shield needs to be consistent with the General Data Protection Regulation (“GDPR”) due to come in to force in two years’ time. A review is needed to ensure that the higher level of data protection offered by the GDPR is matched.
  • Some key data protection principles as outlined in European law are not reflected in the documentation. For example, the data retention principle is not addressed, nor is there any wording on the protection afforded against automated individual decisions on automated processing. The WP29 suggests that clear definitions should be agreed between the EU and the US and be part of a glossary of terms to be included in the Privacy Shield F.A.Qs.
  • The WP29 is adamant that any onward transfer of EU personal data must be protected to the same level as the Privacy Shield, and should not lead to lower protection, nor allow EU data protection principles to be circumvented. In particular, all Privacy Shield organisations should be obliged to assess any mandatory requirements of the third country’s national legislation applicable to the data importer, prior to the transfer.
  • The new redress mechanism may prove to be too complex in practice, difficult for EU individuals to use and therefore ineffective. Further clarification of the various procedures is needed.
  • Whilst the Privacy Shield extensively addresses the possibility of access to personal data by national security and law enforcement, representations made by the US did not exclude massive and indiscriminate collection of personal data originating from the EU. The WP29 reiterated its long-standing position on this, stating that such surveillance of individuals can never be considered as proportionate and strictly necessary in a democratic society (as is required under the fundamental rights of EU law).
  • The establishment of an Ombudsperson as a new redress mechanism constitutes a significant improvement for EU individuals’ rights with regards to US intelligence activities. However, the WP29 is concerned that the new institution is not sufficiently independent and is not vested with adequate powers to effectively exercise its duty; nor does it guarantee a satisfactory remedy in case of disagreement.

What next?

Whilst the WP29 is an advisory body, and the Commission is not obliged to follow its opinion, its representatives from the Member States are still able to put pressure on the Commission to make the suggested changes. Privacy Shield still needs to be formally adopted by the Commission, so there is still the opportunity to make the recommended revisions and clarifications. However, this leaves us in a state of uncertainty as to what will happen, and highlights that the Privacy Shield is still very much a work in progress.

Liz Kilburn

Related articles