Followers of the Article 29 Working Party (WP29) could hardly be surprised that the group would be critical of the nascent EU-US Privacy Shield, but today’s opinion outlining the group’s reaction to last month’s draft adequacy decision presents a more nuanced perspective rather than a wholesale rejection of the new data transfer framework. Importantly, the WP29 recognizes the “significant improvements” brought by the Privacy Shield and notes that many of the shortcomings it identified in the earlier Safe Harbor framework have been addressed by negotiators.
So what are the group’s key concerns? First, the WP29 highlights drafting issues. The principles and guarantees of the Privacy Shield currently exist across a number of different legal documents and annexes, which arguably makes information difficult to find and inconsistent. “The language lacks clarity,” the WP29 states, making “accessibility for data subjects, organisations, and data protection authorities more difficult.” The group is further concerned that the Privacy Shield’s language is too closely tied to the old data protection directive and must be reviewed in order to ensure “the higher level of data protection” afforded by the incoming General Data Protection Regulation. Moving forward, the WP29 suggests the Privacy Shield will need to be reassessed after the GDPR comes into effect. The group also endorses efforts to review the Privacy Shield framework annually and suggests officials on both sides of the Atlantic agree to “elements of the joint reviews” well in advance.
Beyond style, however, the WP29 has several major points of concern about the new framework’s commercial components and national security aspects. For companies, the opinion suggests data retention limits are “not expressly mentioned and cannot be clearly construed” from the existing Privacy Shield documentation, and that controls on onward transfers of EU personal data are “insufficiently framed.”
The framework’s wide array of new redress mechanisms are criticized as “too complex…and therefore ineffective,” and the WP29 suggests EU data protection authorities should be considered “a natural contact point” for EU citizens. At last week’s IAPP Global Privacy Summit, regulators on both sides of the Atlantic took this as a given, suggesting further clarification on this point may not be terribly contentious.
While it may be possible to address the WP29’s commercial concerns, the group remains skeptical that the Privacy Shield actually addresses the “massive and indiscriminate” surveillance of EU citizens by US law enforcement and the intelligence community. The WP29 reiterates its long-standing position that such collection and use of personal information “can never be considered as proportionate and strictly necessary in a democratic society.” The opinion also questions whether the new State Department Ombudsperson is sufficiently independent or positioned to guarantee satisfactory redress. Still, the WP29 admits that the Privacy Shield’s discussion of access to data by public authorities, as well as the increased transparency offered by the US government, is “a large step forward” from the Safe Harbor.
The full impact of the WP29’s opinion is yet to be determined. Not only is the opinion not binding on the European Commission, but the Commission also has pledged to continue moving forward with the Privacy Shield framework by early summer. Vera Jourova, the European justice commissioner, hopes to address some if not all of the WP29’s concerns in final decision on the Privacy Shield. In the meantime, all parties agree that standard contractual clauses and binding corporate rules remain valid transatlantic data transfer mechanisms.