Insights Article 29 Data Protection Working Party publishes Opinion on EU-US Privacy Shield.

Following publication by the European Commission of the draft adequacy decision on the EU-US Privacy Shield, the Article 29 Working Party has now conducted its assessment in light of the Data Protection Directive (95/46/EC), and in light of the fundamental rights to private life and data protection as enshrined in Article 8 of the European Convention on Human Rights and Articles 7 and 8 of the Charter of Fundamental rights of the European Union.  The Working Party notes that a further review of the text of the Privacy Shield will have to take place once the new General Data Protection Regulation comes into force during the course of 2018.

The Working Party says that its objective is “to make sure that an essentially equivalent level of protection is maintained when personal data is processed subject to the provisions of the Privacy Shield”.

Overall, the Working Party says that it welcomes the “significant improvements” brought by the Privacy Shield compared to the Safe Harbour decision.  In particular, it says, the insertion of key definitions, the mechanisms set up to ensure the oversight of the Privacy Shield and the now mandatory external and internal reviews of compliance are “a positive step forward”.

However, the Working Party has “strong concerns” on both the commercial aspects and the access by public authorities to data transferred under the Privacy Shield.

The Working Party says that it “regrets” that the Privacy Shield is made up of various separate documents, i.e. the adequacy decision and in its annexes.  This makes the information both difficult to find, and at times, inconsistent, it says, and “contributes to an overall lack of clarity”.

As for the commercial aspects of the Privacy Shield, the Working Party considers that some key data protection principles enshrined in European law are not reflected in the Privacy Shield, or have been inadequately substituted by alternative principles.  In particular, the application of the purpose limitation principle to data processing is unclear, it says.  The Working Party is also concerned that the data retention principle is not clear and cannot be easily construed from the current wording of the text.

Since the Privacy Shield will also be used to transfer data outside the US, the Working Party says that onward transfers from a Privacy Shield entity to third country recipients should have the same level of protection as under the Shield (including national security) and should not lead to lower, or circumvent completely, EU data protection principles.

The Working Party notes the additional powers individuals will have to exercise their rights, but it is concerned that the new redress mechanisms may prove to be too complex in practice.  It is worried that it will be too difficult for EU individuals to use, especially in a different language, and will therefore be ineffective.  Further clarification of the various recourse procedures is therefore needed.

As for access by public authorities to data transferred under the Privacy Shield, the Working Party is concerned that the representations made by the US Office of the Director of National Intelligence (ODNI) are not sufficient in detail to prevent indiscriminate, large-scale collection of personal data from the EU.  The Working Party reminds readers of the long-standing fundamental principle that massive and indiscriminate surveillance of individuals can never be considered proportionate or strictly necessary in a democratic society.  The Working Party notes that there is a tendency to want to collect more data on a massive and indiscriminate scale in the light of the fight against terrorism, but is concerned about the threat this potentially poses to the fundamental rights of privacy and data protection.

The Working Party says that it welcomes the establishment of an Ombudsperson as a new redress mechanism.  However, it is concerned that this new institution will not be sufficiently independent and will not be vested with adequate powers to exercise its duty effectively.

In conclusion, the Working Party notes the improvements the Privacy Shield offers compared to the invalidated Safe Harbour decision.  However, it urges the Commission to address its concerns and ensure that the protection offered by the Privacy Shield is equal to that provided under current EU legislation.  To access the Working Party’s Opinion, click here.

Expertise

Topics