The much-anticipated opinion by European data protection regulators on Privacy Shield has thrown fresh doubt on its viability as a successor to Safe Harbor – in its current form at least. For businesses, this will do nothing to alleviate the uncertainty they have been under since Safe Harbor was declared invalid. The key questions are:
- whether the concerns that have been raised will be addressed by the European Commission – and accepted by the US;
- whether businesses will use the Privacy Shield if those concerns are not fully addressed; and
- what businesses should be doing to protect themselves in the interim.
On 7 March 2016, we reported on the publication of the draft legal texts that would put in place the Privacy Shield. In that update, we anticipated that the opinion of the Article 29 Working Party (WP29) – made up of representatives of the 28 EU Member State data protection authorities – though not binding, would be particularly important. Now, six nervous weeks later, we have that all-important opinion.
On 13 April 2016, the WP29 announced that it had come to a common position regarding the Privacy Shield. It concluded that while the Privacy Shield offers “major improvements” compared to the invalidated Safe Harbor, it still raises some significant concerns. Therefore, there is still more to do to identify solutions to those concerns and to provide clarifications where requested. The objective is to ensure that the protection offered by the Privacy Shield is “essentially equivalent” to that guaranteed within the EU, as laid down by the CJEU in the case of Maximillian Schrems v Data Protection Commissioner; you can find our update on Schrems here.
The WP29 opinion: the highs, the lows, and the expectations
Back in February, the WP29 emphasised that the Privacy Shield would have to be analysed “with great attention as regards the need for restoring trust in transatlantic data flows”. In coming to its opinion, the WP29 took into account, existing EU laws and jurisprudence, including among other things:
- the requirements of the existing EU data protection legal framework, as set out in the Data Protection Directive 95/46/EC;
- fundamental rights enshrined in the European Convention on Human Rights and the Charter of Human Rights, including the right to an effective remedy and to a fair trial laid down in Article 47 of the Charter;
- the all-important CJEU decision in Schrems, which invalidated Safe Harbor and gave new impetus to the need to agree its replacement.
Against that backdrop, the WP29 assessed:
- the commercial aspects of the Privacy Shield, for example, whether or not the framework, as a means of legitimising transatlantic data flows for commercial purposes, ensures an essentially equivalent level of protection; and
- the possible derogations to the principles of the Privacy Shield for national security, law enforcement and public interest purposes.
In favour of the Privacy Shield, the WP29 welcomes the significant improvements that have been made to address the shortcomings of Safe Harbor, such as:
- the inclusion of mechanisms for the on-going monitoring of US companies processing EU citizens’ personal data, including external and internal reviews;
- increased transparency through the introduction of two “Privacy Shield Lists”: one list of the records of those organisations adhering to the Privacy Shield, and one list containing the records of those organisations that have adhered to the Privacy Shield in the past, but no longer do;
- that important steps have been taken in the US to increase transparency in relation to public access to data transferred to the US, either for national security or law enforcement purposes; and
- the assurance that the same level of protection will be afforded to all data transfers to the U.S. – there are no specific legal provisions in place to give advantage to one tool over another.
Areas of concern
Despite these improvements, the WP29 emphasised that there are still significant areas of concern. In particular:
- some of the key data protection principles are not reflected, or have been substituted by alternative notions. The WP29 is particularly concerned that the Privacy Shield seems to allow personal data transferred to the US to be re-used for other purposes (contrary to the purpose limitation principle) and does not oblige organisations to delete data if it is no longer necessary (contrary to the data retention principle);
- the US administration does not fully exclude the collection of mass and indiscriminate data; and
- the legal remedies available to European citizens whose personal data is transferred to the US and subsequently misused are not sufficient – the WP29 questioned the independence of the proposed Ombudsperson responsible for dealing with national security related complaints.
The WP29 also considered that the layout of the Privacy Shield as a “package” of materials, consisting of various letters and annexes, makes the information difficult to find, and at times, inconsistent.
Finally, the WP29 considered that a review of the Privacy Shield would need to be undertaken shortly after the entry into application of the General Data Protection Regulation (GDPR), to ensure that the higher level of protection offered by the GDPR is reflected in the Privacy Shield. The GDPR was adopted by the European Parliament on 14 April 2016; you can find our update on that here.
The WP29 asked the European Commission to consider these concerns, and to provide solutions and clarifications before the final adequacy decision is taken.
The Opinion of the WP29 though important, is not binding. The European Commission could still proceed to finalise its adequacy decision on the Privacy Shield without making any amendments or clarifications.
However, to do so would give privacy activists, including Max Schrems, further ammunition to challenge the Privacy Shield. The potential for such challenge means that affected EU and US businesses may also not welcome this approach, and without long-term reliability, acceptance of the Privacy Shield might erode significantly. Data exporters may in that case prefer to stick with the alternatives, such as EU Model Clauses which many put in place (or are in the process of putting in place) as an interim solution after Safe Harbor was declared invalid.
In her reaction to the Opinion of the WP29, European Commissioner for Justice, Consumers and Gender Equality, Věra Jourová, stated that:
- the European Commission will work to include the recommendations raised by the WP29 and plans to do so before the Article 31 Committee meetings that are scheduled to take place on 29 April and 19 May 2016;
- the Article 31 Committee, composed of representatives of the EU Member States, will then vote on whether or not it approves the Privacy Shield, before the European Commission adopts the final adequacy decision; and
- the European Commission is still aiming to adopt the final adequacy decision on the Privacy Shield by June 2016.
Considering the concerns raised by it, the WP29 seemed less sure that the original June 2016 deadline could be met. However, it did make it clear that a further WP29 opinion on a revised version of the Privacy Shield prior to the adoption of the final adequacy decision is unlikely.
Are businesses any closer to legal certainty?
In the immediate term, the WP29 opinion does not alter either way the current uncertainty around EU-US data transfers. Safe Harbor is invalid and businesses still cannot rely on its successor, the Privacy Shield.
Much depends on the extent of any changes made to the Privacy Shield by the European Commission in light of the WP29’s concerns and requests for clarification. If not much changes, businesses may be reluctant to use the Privacy Shield even once they are able to do so. Even if the European Commission does look to implement the revisions required by the WP29, it is hard to predict whether this can actually be achieved. While the bargaining position of the Commission seems to be stronger with the backing of the WP29, it remains to be seen whether the US has any more to offer.
For businesses, this means that reliance on the Privacy Shield as a justification for US data transfers is not off the agenda, but has at least been deferred. In the meantime, the WP29 has confirmed that alternative transfer mechanisms, such as the model clauses and binding corporate rules (see our previous article here), can still be used – for the moment at least.