The Article 29 Working Party – an advisory body composed of representatives of the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission – is not satisfied with the new EU-US Privacy Shield agreement, and has offered advice on changes that should be made to it.
Presented earlier this year, the EU-US Privacy Shield framework for protecting the fundamental rights of Europeans where their data is transferred to the United States, is meant to replace the US Safe Harbour agreement, which was invalidated by the EU Court of Justice on 6 October 2015 (in the Schrems case).
Points of concern
Overall, they welcome the improvements brought by the Privacy Shield compared to the Safe Harbour decision – “the insertion of key definitions, the mechanisms set up to ensure the oversight of the Privacy Shield list and the now mandatory external and internal reviews of compliance.”
But, there are three major points of concern that remain:
“The first concern is that the language used in the draft adequacy decision does not oblige organisations to delete data if they are no longer necessary. This is an essential element of EU data protection law to ensure that data is kept for no longer than necessary to achieve the purpose for which the data were collected,” they noted.
“Secondly, the WP29 understands from Annex VI that the US administration does not fully exclude the continued collection of massive and indiscriminate data. The WP29 has consistently held that such data collection, is an unjustified interference with the fundamental rights of individuals. The third point of concern regards the introduction of the Ombudsperson mechanism. Even though the WP29 welcomes this unprecedented step creating an additional redress and oversight mechanism for individuals, concerns remain as to whether the Ombudsperson has sufficient powers to function effectively. As a minimum, both the powers and the position of the Ombudsperson need to be clarified in order to demonstrate that the role is truly independent and can offer an effective remedy to non-compliant data processing.”
Finally, they noted that when the General Data Protection Regulation comes into effect in 2018, the EU-US Privacy Shield will have to be reviewed in order to match the higher level of data protection offered by the regulation.
What happens now?
The Article 29 Working Party’s advice is not binding, and the European Commission, which is required to give the last OK in order for Privacy Shield to come in effect, doesn’t have to take it in consideration.
Still, Isabelle Falque-Pierrotin, the Party’s chairwoman, intimated that if changes aren’t made to address their concerns, the issue might end up before the European Court of Justice – the same court that struck down the US Safe Harbour agreement.
Another group, the Article 31 Committee, composed of the representatives of EU Member States and chaired by the representative of the Commission, still has to give its own opinion on Privacy Shield. Their advice is, on the other hand, binding, so it’s possible that the current version of the legislation is not the last.
“If the EU Commission and the US bodies do not take the opinion of the Article 29 Working Party seriously, Privacy Shield is more likely to be challenged in the higher European courts in the near future, especially if the Max Schrems case is anything to go by. Then we’re back to square one,” Deema Freij, global privacy officer, Intralinks, told Help Net Security.
“For businesses, however, this news isn’t too catastrophic. After the demise of Safe Harbour, companies realised it’s good to have back-up plans should one legal route be shut off. EU Model Clauses and Binding Corporate Rules are still seen as legitimate alternatives to the Privacy Shield according to today’s announcement. At the moment, businesses have switched – or are switching – to EU Model Clauses so they are able to transfer personal data to the US – and they can continue to use these in spite of the decision today.”