On July 26, 2016, the body of European Data Protection Authorities (DPAs)—the "Article 29 Working Party" (WP29)—issued a statement commending the improvements made to the EU-U.S. Privacy Shield (Privacy Shield). Although the WP29 continues to have some of the concerns raised in its April 2016 opinion, and the Privacy Shield will most likely face legal challenge, the Privacy Shield is a valid tool for companies transferring data from the EU to the U.S. Companies can begin registering for the Privacy Shield on August 1, 2016.
The WP29 statement indicates that it will pay close attention to the annual joint review called for in the framework and to ensuring that individuals may effectively exercise their rights under the Privacy Shield. The WP29 emphasizes that it will closely monitor the functioning of the Privacy Shield and will not hesitate to request changes that it believes are warranted as a result of the first annual review of the Privacy Shield framework.
The key takeaways of the WP29's statement are the following:
-
Some concerns remain regarding the commercial aspects of the Privacy Shield that will be further assessed during the first annual review
The WP29 welcomes the improvements made to the Privacy Shield, but notes that a number of issues raised in the April 2016 opinion concerning commercial practices are not sufficiently addressed. In particular, the WP29 raises concerns about: (i) the lack of specific rules on automated decision-making and of a general right to object, and (ii) the lack of clarity regarding the application of the Privacy Shield to data processors. The WP29 will focus on these elements during the first annual joint review.
-
The lack of guarantees regarding the ombudsperson's independence and alleged mass surveillance are problematic and may impact other data transfer mechanisms
The WP29 also expresses concerns that the Privacy Shield does not contain sufficient guarantees with regard to the independence and powers of the ombudsperson. It notes the commitment of the Office of the Director of National Intelligence (ODNI) not to conduct mass and indiscriminate collection of personal data, but emphasizes the lack of concrete assurances regarding such practices. The WP29 does not explicitly endorse or negatively opine on the other data transfer mechanisms such as Standard Contractual Clauses and Binding Corporate Rules. However, the WP29 suggests that these other data transfer mechanisms may be affected if the WP29's concerns regarding mass and indiscriminate data collection are not addressed at the Privacy Shield's first joint review.
-
Focus on complaints from individuals and enforcement
Now that the Privacy Shield has been adopted, the WP29 will focus on the DPAs' enhanced enforcement role under the new framework. The Privacy Shield allows individuals to exercise their rights against Privacy Shield-certified companies via their national DPAs. The WP29 states that national DPAs are committed to assisting individuals with complaints regarding compliance with the Privacy Shield. Companies should thus expect more scrutiny and enforcement by EU DPAs under the Privacy Shield than under the Safe Harbor.
-
Further guidance is expected
The WP29 will provide guidance to companies and individuals on the Privacy Shield. It will also make suggestions regarding how to set up the recourse mechanisms provided by the Privacy Shield, in particular the Privacy Shield Panel and the joint review mechanism.
Conclusion
The WP29 statement is a positive step for the future of the Privacy Shield. Some concerns remain and legal challenges to the Privacy Shield are likely, but the Privacy Shield is now a valid data transfer mechanism for transferring data to the U.S. Notwithstanding the validity of the Privacy Shield, national DPAs remain empowered to commence enforcement actions or suspend data transfers to the U.S. under the Privacy Shield or any other data transfer mechanism.
We monitor developments related to EU-U.S. data transfers closely and will update you on any significant news.
