EU Data Protection Authorities Release Report on Privacy Shield

Alex Yacoub
King & Spalding
Contact
LinkedIn
Facebook
X
Send
Embed

On November 28, 2017, the statutorily-appointed independent EU advisory body known as the Article 29 Working Party (“WP29”) released its report following the First Annual Joint Review on the EU-U.S. Privacy Shield (“Privacy Shield”). The WP29 report comes one month after a report by the European Commission (“EC”) highlighted the positive effects of the Privacy Shield. The WP29 report, by contrast, highlights concerns regarding both the commercial aspects of the Privacy Shield and the protections for EU citizens from government access to data, and threatens to take action to challenge the Privacy Shield if the concerns are not resolved.

The Privacy Shield was designed by the U.S. Department of Commerce (“DoC”) and the EC to provide companies with a mechanism to comply with European data protection requirements when transferring personal data from the EU to the U.S. (see here for more details). A transfer of personal data from the EU to Privacy Shield-certified companies in the U.S. is considered “adequate” by the EC and, therefore, allowed under EU privacy laws without further notification or consent requirements. The Privacy Shield, which has been operational since August 1, 2016, replaced the previous Safe Harbor Agreement, which was invalidated by the European Court of Justice in the Schrems case in October 2015 (see here for more details).

The WP29 is an independent advisory body on data protection and privacy within the European Union, set up under Article 29 of the 1995 Data Protection Directive. The WP29 is composed of representatives from each of the EU member states, the European Data Protection Supervisor, and a representative from the European Commission.

As we previously reported, the Privacy Shield is subject to annual evaluation, the first of which took place in Washington, D.C. on September 18 and 19, 2017, and led to a positive report by the EC. The WP29, however, chose to highlight a number of issues with the Privacy Shield.

With respect to the commercial aspects of the Privacy Shield, the WP29 noted that the guidance published by the DoC on Privacy Shield implementation is unclear and overly general. Since businesses self-certify that they comply with Privacy Shield requirements, the lack of clear guidance leaves too many issues open and could lead to the required level of protection of data not being met. Similarly, the WP29 noted that DoC guidance is lacking in terms of describing the available rights and remedies for data subjects.

The self-certification process also relies on oversight and supervision by U.S. authorities to ensure compliance, and the WP29 found that such oversight was lacking in practice. Specifically, the WP29 noted that the DoC and the Federal Trade Commission had yet to conduct periodic compliance reviews, as required by the Privacy Shield.

With respect to the protections against government access to data, the WP29 report calls for further reforms of the U.S. rules on collection and access of personal data for national security purposes. Specifically, the WP29 noted that in the upcoming reauthorization of the Foreign Intelligence Surveillance Act, the U.S. government should provide for more precise targeting of subjects as well as a requirement for reasonable suspicion before data can be accessed.

The WP29 also explained that while the U.S. Privacy and Civil Liberties Oversight Board (“PCLOB”) was an essential independent oversight entity, it currently has multiple vacancies. The WP29 called for the U.S. government to appoint new members to the PCLOB to allow it to become fully functional. The WP29 also called for the appointment of an independent ombudsperson as soon as possible to allow EU citizens a method of redress with respect to U.S. intelligence access to data.

While the WP29 acknowledged that the Privacy Shield has shown significant progress compared to the previous Safe Harbor Agreement, the report noted that the identified concerns are “significant” and must be addressed by U.S. authorities and the EC. The WP29 called on authorities to make specific changes by May 25, 2018 (which is, notably, the date on which the EU’s new General Data Protection Regulation will come into force)—namely, the appointment of an independent ombudsperson and of members to the PCLOB, as well as an action plan for resolution of other concerns. The WP29 also demanded that its remaining concerns be addressed by the second annual review of the Privacy Shield. The WP29 noted that if remedies for these concerns are not forthcoming, the WP29 was prepared to take action in EU member state courts to challenge the adequacy of the Privacy Shield.

The full report is available here.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding
King & Spalding
Contact
more
less

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide