On April 13, 2016, the Article 29 Working Party (“Art. 29 WP”) held a press conference at which it presented its forthcoming opinion on the adequacy of the US-EU Privacy Shield.
As background, the European Commission has put forth a draft “adequacy decision” in which it declares that on the basis of Privacy Shield, the United States offers data protection that is essentially equivalent to that offered in the EU. Such an adequacy decision would permit data transfers to US companies that agree to abide by the Privacy Shield principles. However, an important part of the approval process involves presenting the Privacy Shield and the draft adequacy decision to the Art. 29 WP and the European Data Protection Supervisor for formal comment.
At the press conference, the Art. 29 WP clearly stated it could not support the Commission’s draft adequacy decision in its present form. Although the Art. 29 WP noted that Privacy Shield contains “important improvements” over the now-defunct Safe Harbor, it could not yet agree that Privacy Shield guaranteed adequate protection for personal data transferred to the US. Its primary areas of concern were as follows:
On the commercial side:
Purpose limitation: Art. 29 WP believes that the purpose limitation principle as presently phrased is “unclear” and could permit unanticipated re-uses of transferred data.
Onward transfers: Art. 29 WP believes that Privacy Shield’s onward-transfer rules are “better framed” than under Safe Harbor, but is concerned that Privacy Shield lacks any requirement to evaluate the adequacy of third countries to which data may be transferred.
Recourse: Art. 29 WP believes that Privacy Shield contains too many recourse mechanisms, and that finding “the right interlocutor” will prove too complex for consumers. It also stated that “the EU should be the point of contact” for consumers “on this issue.”
On the surveillance side:
Bulk collection: Art. 29 WP understands the present Privacy Shield draft as permitting both bulk collection and bulk use of data for, among others, national-security and law-enforcement purposes – and believes this is incompatible with fundamental EU data privacy norms.
Ombudsperson mechanism: Art. 29 WP sees the ombudsperson as a great “innovation,” but is concerned about the independence of the ombudsperson, and also about her ability to offer effective relief. Moreover, Art. 29 WP was concerned about the ombudsperson’s “status,” perhaps expressing concerns about the potential actions of future presidential administrations.
Notably, Art. 29 WP would not expressly state that these are issues that must be corrected. Instead, it signaled a willingness to await “clarification” from the Commission regarding its concerns. Also, Art. 29 WP noted that its opinion – especially in regards to surveillance issues – could change depending on a forthcoming decision of the European Court of Justice (ECJ) regarding the sharing of Passenger Name Record data.
During the ensuring Q&A with reporters, Art. 29 WP made one important observation for businesses: until the point in time where the Commission issues its final adequacy decision, transfers on the basis of Binding Corporate Rules or “other transfer tools” (such as Model Clauses) remain permitted – “they still can be used in this period,” in Art. 29 WP’s own words. However, Art. 29 WP also indicated that once the Commission’s adequacy decision is issued, it will revisit the viability of alternative transfer mechanisms.
A video recording of the Art. 29 WP’s press conference can be viewed here.