Yesterday, the Article 29 Working Party took action which some found surprising and others predicted. It found the EU-U.S. Privacy Shield did not contain adequate protections and needs further improvement. The Working Party’s statement can be found here.
While acknowledging the Privacy Shield contains “significant improvements” over the previous Safe Harbor, the Working Party also stated its objective is to “make sure that an essentially equivalent level of protection is maintained when personal data is processed subject to the provisions of the Privacy Shield.”
Some of the Working Party’s concerns had to do with the cumbersome nature of how the package of documents is constructed (with the agreement and the multiple supporting letters of assurance), which, according to the Working Party, makes the protections of the Privacy Shield difficult to access and understand, if not in some places contradictory. Additionally, the Working Party found inadequate protections as some protections in the law are not included in the Privacy Shield. In particular the purpose limitation (why the data is being captured and retained) and the lack of a clear data retention principle (which is neither mentioned nor can it be inferred) were cited. Further, automated processing of data is not even mentioned. Additionally, since the Privacy Shield will allow the on-forwarding of data from the EU to the U.S. and then to third countries, the Article 29 Working Party “insist[ed]” the Privacy Shield should require the same level of protection when the data is transferred outside the U.S. as is required when the data is transferred from the EU to the U.S. It also found the redress mechanism too “complex” and “difficult” for EU citizens to use, saying, in the end, it would be “ineffective.” The Working Party called out the Ombudsman process as particularly noteworthy, but questioned the independence of any such person.
A major concern in the context of the negotiation of the Privacy Shield was fall-out from the Snowden disclosures regarding massive data collection by the U.S. As such, from the American side detailed assurances and explanations were provided by the Office of the Director of National Intelligence (“ODNI”). The Working Party found those ODNI written assurances did not “provide sufficient details in order to exclude massive and indiscriminate collection of personal data originating from the EU.”
The Working Party also pointed out “the Privacy Shield adopted on the basis of Directive 95/46/EC needs to be consistent with the EU data protection legal framework, both in scope and terminology. In this regard, a review of the text of the Privacy Shield will have to take place after the entry into application of the General Data Protection Regulation in the course of 2018, in order to ensure the higher level of data protection offered by the Regulation is followed in the Privacy Shield.[emphasis in original]”
Finally, in its conclusion, the Working Group appreciated “the improvements the Privacy Shield offers compared to the invalidated Safe Harbour decision. But, given the concerns expressed and the clarifications asked, it urges the Commission to resolve these concerns and provide the requested clarifications in order to improve the draft adequacy decision and ensure the protection offered by the Privacy Shield is indeed essentially equivalent to that of the EU. [emphasis in original]”
There are two upcoming EU events which may well dictate the final outcome. From the EU structure side, the Article 31 Committee must now weigh in. The full title of the Article 31 Committee is Committee on the Protection of Individuals with regard to the Processing of Personal Data,” so its input is critical. It has meetings scheduled on April 29 and May 19 and is not expected to issue an opinion until after those meetings take place. After that, the European Commission will have to decide whether to try and revise the agreement in the face of the comments already in hand from the Article 29 Working Party, along with any recommendations from the Article 31 Committee.
The second event is the expected ruling of the Court of Justice of the European Union regarding the legality of mass surveillance of EU citizens. If the Court finds that surveillance illegal, it could throw into serious doubt the scope of the national security exceptions in the Privacy Shield. Since the Safe Harbor was struck down over mass surveillance concerns, the whole situation, at least right now, is in a total state of chaos. For companies, this makes proceeding even more dicey. The Data Protection Authorities in some jurisdictions have said complying with the old Safe Harbor provisions will not insulate companies from liability, even if they use model clauses instead (which would, in any case, need to be updated to articulate what appears in the current version of the Privacy Shield), so perhaps the wisest course of action is for companies to continue revising their procedures and modeling off the contents of the Privacy Shield as currently published, while waiting for a final guidance document.