In a 58-page opinion published April 13, 2016, the influential European Union Article 29 Working Party (WP29), which includes representatives of the data protection authorities of the 28 EU Member States, expressed significant concerns with respect to the terms of the proposed EU-US Privacy Shield that is intended to replace the EU-US Safe Harbor.
The WP29 made numerous critiques to the proposed EU-US Privacy Shield framework. Some of which include, for example, the lack of consistency between the principles set forth in the Privacy Shield documents and the fundamental EU Data Protection principles outlined in the 1995 EU Data Protection Directive, the proposed EU General Data Protection Regulation, and related documents.
The WP29 group also requested clearer restrictions for the onward transfer of personal information that occurs after personal data of EU residents is transferred to the US. The WP29 is especially concerned with the subsequent transfer of data to a third country, outside the United States. In addition, the WP29 continues to be concerned about the effect, scope, and effectiveness of the measures proposed to address activities of law enforcement and intelligence agencies, often described as a “massive collection” of data.
On Feb. 29, 2016, the European Commission and U.S. Department of Commerce published a series of documents intended to constitute a new framework for transatlantic exchanges of personal data for commercial purposes, to be named the EU-U.S. Privacy Shield. The Privacy Shield would replace the EU-US Safe Harbor, which was invalidated by the Court of Justice of the European Union (CJEU) in October 2015, in the Schrems case.
Since the publication of the draft Privacy Shield documents, the WP29 members have convened in a series of meetings over the course of the past six-weeks in order to evaluate these documents and come up with a common position.
The results of this 6-week evaluation were expressed in an opinion entitled: “Opinion 01/2106 on the EU-US Privacy Shield Draft Adequacy Decision – WP 238,” published on April 13, 2016. The 58-page document, which is well-drafted and thoughtful, contains numerous positive comments about the efforts of the EU and US in trying to design a framework that would adhere to the two-page guidance published at the end of January, which outlined the key aspects of the proposed cross-Atlantic framework.
The document also expressed a wide variety of concerns with respect to the proposed EU-US Privacy Shield. The WP29 group was concerned by: (i) the commercial provisions (which address issues similar to those addressed in the Safe Harbor principles); (ii) the surveillance aspects (specifically, the possible derogations to the principles of the Privacy Shield for national security, law enforcement, and public interests purposes); as well as, (iii) the proposed joint review mechanism.
Consistency with Data Protection Principles
The WP29 indicated in its Opinion that its key objective is to make sure that the Privacy Shield would offer an equivalent level of protection for individuals when personal data is processed. The WP29 believes that some key EU data protection principles are not reflected in the draft documents, or have been inadequately substituted by alternative notions.
While it does not expect the Privacy Shield to be a mere and exhaustive copy of the EU legal framework, the WP29 stressed that the Privacy Shield should contain the substance of the fundamental principles in effect in the European Union, so that it can ensure an “essentially equivalent” level of protection. To this point, WP29 explains that the data retention principle is not expressly mentioned and there is no wording on the protection that should be afforded against automated individual decisions based solely on automated processing. The application of the purpose limitation principle to data processing is also unclear.
The WP29 paid special attention to onward transfers, an issue that was key to the Safe Harbor decision. It believes that the Privacy Shield provisions addressing onward transfers of EU personal data are insufficiently framed, especially regarding their scope, the limitation of their purpose, and the guarantees applying to transfers to Agents.
The WP29 noted that since the Privacy Shield would be used to address onward transfers from a Privacy Shield entity located in the US to third country recipients, it should provide the same level of protection on all aspects of the Shield, including national security. In case of an onward transfer to a third country, every Privacy Shield organization should have the obligation to assess any mandatory requirements of the third country’s national legislation applicable to the data importer before making the transfer.
Finally, although the WP29 notes the additional recourses made available to individuals to exercise their rights, it is concerned that the new redress mechanism may prove to be too complex in practice and difficult to use for EU individuals, and therefore, ineffective. Further clarification of the various recourse procedures is therefore stressed; in particular, where they are willing, the WP29 suggests that EU data protection authorities could be considered as a natural contact point for EU individuals involved in these complex redress procedures, and could have the option to act on their behalf.
Derogations for National Security Purposes
The WP29 observed that the draft EU Commission Adequacy Decision extensively addresses the possible access to data processed under the Privacy Shield for purposes of national security and law enforcement. It also notes that the US Administration, in Annex VI of the documents, also provides for increased transparency on the legislation applicable to intelligence data collection.
Regarding the massive collection of information, the WP29 notes that the representations of the U.S. Office of the Director of National Intelligence (ODNI) do not exclude massive and indiscriminate collection of personal data originating from the EU. This brings concerns for the protection of the fundamental rights to privacy and data protection. The WP29 pointed to other resources for clarification on this point, such as the forthcoming rulings of the CJEU in cases regarding massive and indiscriminate data collection.
Concerning redress, the WP29 welcomes the establishment of an Ombudsperson as a new redress mechanism. Concurrently, it expressed its concern that this new institution might not be sufficiently independent, might not be vested with adequate powers to effectively exercise its duty, and does not guarantee a satisfactory remedy in case of disagreement.
Annual Joint Review
Regarding the proposed Annual Joint Review mechanism mentioned in the Privacy Shield framework, the WP29 noted that the Joint Review is a key factor to the credibility of the Privacy Shield. It points out, however, that the specific modalities for operations, such as the resulting report, its publicity, and the possible consequences, as well as the financing, need to be agreed upon well in advance of the first review.
Consistency with the General Data Protection Regulation
The WP29 notes that the Privacy Shield needs to be consistent with the EU data protection legal framework, in both scope and terminology. It suggests that a review should be undertaken shortly after the entry into application of the General Data Protection Regulation (GDPR), to ensure that the higher level of data protection offered by the GDPR is followed in the adequacy decision and its annexes.
Structure and Content
Regarding the structure and content of the documents, the WP29 noted that the complexity of the structure of the documents that constitute the Privacy Shield make the documents difficult to understand. They are also concerned that the lack of clarity in the new framework might cause it to be difficult to comprehend by data subjects, organizations, and even data protection authorities. In addition, they note occasional inconsistencies within the 110 pages that form the current draft of the Privacy Shield framework. The WP29 urges the Commission to make the documents more clear and understandable for both sides of the Atlantic.
In its 58-page opinion, the WP29 made great efforts to point to the improvements brought by the Privacy Shield compared to the Safe Harbor decision. However, overall, the evaluation of the 110-page proposed Privacy Shield framework is generally negative. The WP29 appears to doubt that the protection that would be offered under the Privacy Shield would be equivalent to that of the EU. The extent to which the EU Commission will be able to address these concerns, identify appropriate solutions and provide the requested clarifications in order to improve the proposed documents remains to be seen.
Six months after the CJEU invalidated the EU Commission decision that had created the EU-US Safe Harbor, it seems that cross-Atlantic data transfers are still in limbo. There is still no simple, business friendly solution to addressing the stringent prohibition against cross border data transfers between EU/EEA entities and US based companies. The viability of the Privacy Shield remains in question. With the negative opinion issued by the WP29, a very influential body of the European Union, it is uncertain whether and when a stable and final draft will be completed. Assuming such framework may reach a form that is satisfactory to both sides, it would then need to be implemented. At a minimum, a new infrastructure, a website, and additional personnel will also be needed to make it operational—these are all things that take even more time.
In the meantime, US companies that built their operations and business models around the simple and easy to use EU-US Safe Harbor should review the legality of their cross border data transfers with their counsel. With no light at the end of the tunnel, it is urgent that they evaluate and implement means to address the stringent restriction against cross border data transfers in effect in the European Union and European Economic Area, and that they understand and address the needs of their counterparts in the EU/EEA region in order to minimize the risk of enforcement action against the European entities.
Françoise Gilbert,Global Privacy and Cybersecurity Attorney, Greenberg Traurig
[Cloud Security Alliance Blog]