Article 29 Working Party considers draft Privacy Shield partially deficient and unclear

18 avril 2016 – On 13 April 2016, the Article 29 Working Party (WP29) published its much anticipated opinion (and the corresponding statement) on the European Commission’s draft adequacy decision on the EU-U.S. Privacy Shield, which was published at the end of February 2016 (cf. news of 02.03.2016).

The WP29 welcomes some significant improvements which are offered by the Privacy Shield in comparison to the Safe Harbor decision, such as the insertion of key definitions, the mechanisms introduced to ensure the oversight of the Privacy Shield list and mandatory external and internal reviews of compliance. However, the WP29 identified various deficiencies and unclear formulations in the Privacy Shield. The WP29 criticises a general lack of clarity and expresses its strong concerns on the commercial aspects as well as the access by public authorities to data transferred under the Privacy Shield.

With respect to the commercial aspects, the WP29 contemplates that some EU key data protection principles are not reflected in the Privacy Shield (i.e. data retention principle) or have been substituted with inadequate alternative notions (i.e. purpose limitation principle). Furthermore, the WP29 is concerned that the new redress mechanism may be too complex and difficult to use for EU individuals and may thus, also considering that it is in a different language, prove to be ineffective. The WP29 urges the European Commission (Commission) to provide more clarifications on this issue. It also sees a possible improvement of the redress mechanism if the national EU data protection authorities were considered as natural contact points for EU individuals, with such authorities having the option to act on behalf of EU individuals.

With respect to access by public authorities to data transferred under the Privacy Shield, the WP29 has strong concerns that the details provided by the U.S. Office of the Director of National Intelligence (ODNI) do not exclude massive and indiscriminate collection of personal data that originated from the EU. As there is currently a tendency to collect even more data on a massive and indiscriminate scale due to the ongoing fight against terrorism, the WP29 considers that there will be upcoming rulings in this respect by the Court of Justice of the European Union. Furthermore, the WP29 is concerned that the Ombudsperson, whose introduction is welcomed by the WP29, will not be sufficiently independent and not have the adequate powers to guarantee a satisfactory remedy in case of disputes.

The WP29 urges the Commission to resolve the expressed concerns and provide the requested clarifications. It also mentions that the Privacy Shield will have to be reviewed after the new European General Data Protection Regulation has entered into force in the course of 2018 since this Regulation will improve data protection in the EU and has to be followed by the Privacy Shield.

The opinion of the WP29 is not binding on the Commission. However, it remains to be seen if and to what extent this opinion will in practice impact the time it will take the Commission to take the final adequacy decision. In our view, there is a certain risk that the taking of the adequacy decision will be delayed by this opinion. This would most likely also delay the entry into force of a similar but separate agreement for the transfer of personal data from Switzerland to recipients located in the USA.