In the latest twist in the ongoing saga of the EU-U.S. Privacy Shield data transfer agreement, EU data protection authorities (commonly known as the Article 29 Working Party) stated on April 13, 2016 that it would not affirm the adequacy of the Privacy Shield deal. In its opinion, the Working Party indicated that it does not believe the agreement provides sufficient protections for EU citizens’ data or safeguards against U.S. intelligence bulk data collection practices.
Following the invalidation of the EU-U.S. Safe Harbor Agreement last year—which created considerable uncertainty for the thousands of U.S. companies doing business in Europe—U.S. and European Commission officials scrambled to reach a new agreement to address European privacy concerns. In early February, they announced the new Privacy Shield deal after months of intensive negotiations. American businesses have expressed support for the Privacy Shield agreement in recent weeks, in the hope that the Privacy Shield would eliminate the uncertainty that has plagued trans-Atlantic data transfers since the Safe Harbor was struck down last year.
The Working Party acknowledged that the new agreement is an improvement over the invalidated Safe Harbor Agreement, but identified several concerns. These include questions about the sufficiency of data retention restrictions and protections applicable to transfers of EU data to countries other than the United States, the complexity of the proposed system for allowing EU citizens to lodge complaints, the possibility of data collection by U.S. authorities, and the independence of the proposed ombudsman to handle national security complaints.
While the Working Party’s opinion does not have the force of law, it increases the likelihood that the Privacy Shield may ultimately be rejected in its current form by European member states. It does not, however, preclude official approval of the Privacy Shield agreement.
We will continue to monitor this important story and provide updates as they occur.