In a 58-page opinion published on April 13, 2016, the influential European Union Article 29 Working Party (“WP29”), which gathers representatives of the data protection authorities of the 28 EU member states, expressed significant concerns with respect to the terms of the proposed EU-US Privacy Shield that is intended to replace the EU-US Safe Harbor.
The WP29 made numerous critiques to the documents that form the proposed EU-US Privacy Shield framework. Some of these critiques address the essential elements of contention that have been expressed in numerous forms in the past. These include for example, the lack of consistency between the principles set forth in the Privacy Shield documents and the fundamental EU data Protection principles outlined in the 1995 EU Data Protection Directive, the proposed EU General Data Protection Regulation, and related documents.
The WP29 group also requested that clearer restrictions apply to the onward transfer of the personal information, which occurs once personal data of EU residents has been transferred to the US. They are especially concerned about the subsequent transfer of data to a third country, outside the United States. In addition, the WP29 continues to be concerned about the effect, scope, and effectiveness of the measures proposed to address activities of law enforcement and intelligence agencies, often described as “massive collection” of data.
Background
On 29 February 2016, the European Commission and US Department of Commerce published a series of documents intended to constitute a new framework for transatlantic exchanges of personal data for commercial purposes, to be named the EU-U.S. Privacy Shield. The Privacy Shield is intended to replace the EU-US Safe Harbor, which was invalidated by the Court of Justice of the European Union (CJEU) in October 2015, in the Schrems case.
Since the publication of the draft Privacy Shield documents, the WP29 members have convened in a series of meetings in order to assess these documents and come up with a common position.
The results of this 6-week intense evaluation were expressed in an opinion entitled “Opinion 01/2106 on the EU-US Privacy Shield Draft Adequacy Decision – WP 238” published on April 13, 2016. The 58-page well drafted and thoughtful document contains numerous positive comments about the efforts of the EU and US teams in trying to design a framework that would implement the guidance of the two-page term sheet published at the end of January that outlined the key aspects of the proposed cross Atlantic framework.
The document also expressed a wide variety of concerns with respect to the proposed EU-US Privacy Shield that is intended to replace the EU-US Safe Harbor. The WP29 group was concerned by (i) the commercial provisions (which address issues similar to those addressed in the Safe Harbor); (ii) the surveillance aspects, specifically, the possible derogations to the principles of the Privacy Shield for national security, law enforcement, and public interests purposes; as well as (iii) the proposed joint review mechanism.
Commercial Aspects
Consistency with Data Protection Principles
The WP29 indicated that its key objective is to make sure that the Privacy Shield would offer an equivalent level of protection of individuals when personal data is processed under the Privacy Shield. The WP29 believes that some key EU data protection principles are not reflected in the draft documents, or have been inadequately substituted by alternative notions.
While it does not expect the Privacy Shield to be a mere and exhaustive copy of the EU legal framework, the WP29 stressed that the Privacy Shield should contain the substance of the fundamental principles in effect in the European Union, so that it can ensure an “essentially equivalent” level of protection. For instance, the data retention principle is not expressly mentioned; there is no wording on the protection that should be afforded against automated individual decisions based solely on automated processing. The application of the purpose limitation principle to the data processing is also unclear.
Onward Transfers
The WP29 paid special attention to onward transfers, an issue that was key to the Safe Harbor decision. It believes that the Privacy Shield provisions on onward transfers of EU personal data are insufficiently framed, especially regarding their scope, the limitation of their purpose and the guarantees applying to transfers to Agents.
The WP29 noted that since the Privacy Shield will also be used to transfer data outside the US, onward transfers from a Privacy Shield entity to third country recipients, it should provide the same level of protection on all aspects of the Shield, including national security. In case of an onward transfer to a third country, every Privacy Shield organization should have the obligation to assess any mandatory requirements of the third country’s national legislation applicable to the data importer before making the transfer.
Recourse Mechanisms
Finally, although the WP29 notes the additional recourses made available to individuals to exercise their rights, it is concerned that the new redress mechanism in practice may prove to be too complex, difficult to use for EU individuals, and therefore, ineffective. Further clarification of the various recourse procedures is therefore needed; in particular, where they are willing, EU data protection authorities could be considered as a natural contact point for the EU individuals in the various procedures, and have the option to act on their behalf.
National Security
Derogations for national security purposes
The WP29 observed that the draft EU Commission Adequacy Decision extensively addresses the possible access to data processed under the Privacy Shield for purposes of national security and law enforcement. It also notes that the US Administration, in Annex VI of the documents, also provides for increased transparency on the legislation applicable to intelligence data collection.
Massive Collection
Regarding the massive collection of information, the WP29 notes, however, that the representations of the U.S. Office of the Director of National Intelligence (ODNI) do not exclude massive and indiscriminate collection of personal data originating from the EU. Given the concerns this brings for the protection of the fundamental rights to privacy and data protection, the WP29 pointed to other resources for clarification on this point, such as the forthcoming rulings of the CJEU in cases regarding massive and indiscriminate data collection.
Redress
Concerning redress, the WP29 welcomes the establishment of an Ombudsperson as a new redress mechanism. Concurrently, it expressed its concern that this new institution might not be sufficiently independent, might not be vested with adequate powers to effectively exercise its duty, and does not guarantee a satisfactory remedy in case of disagreement.
Annual Joint Review
Regarding the proposed Annual Joint Review mechanism mentioned in the Privacy Shield framework, the WP29 noted that the Joint Review is a key factor to the credibility of the Privacy Shield. It points out, however, that the specific modalities for operations, such as the resulting report, its publicity and the possible consequences, as well as the financing, need to be agreed well in advance of the first review.
Drafting Deficiencies
Consistency with the General Data Protection Regulation
The WP29 notes that the Privacy Shield needs to be consistent with the EU data protection legal framework, in both scope and terminology. It suggests that a review should be undertaken shortly after the entry into application of the General Data Protection Regulation (GDPR), to ensure that the higher level of data protection offered by the GDPR is followed in the adequacy decision and its annexes.
Structure and Content
Regarding the structure and content of the documents, the WP29 noted that the complexity of the structure of the documents that constitute the Privacy Shield make the documents difficult to understand. They are also concerned that the lack of clarity of the new framework might cause it to be difficult to comprehend by data subjects, organizations, and even data protection authorities. In addition, they note occasional inconsistencies within the 110 pages that form the current draft of the Privacy Shield framework. The WP29 therefore urges the Commission to make the documents clear and understandable for both sides of the Atlantic.
Conclusion
In its 58-page opinion, the WP29 made great efforts to point to the improvements brought by the Privacy Shield compared to the Safe Harbor decision. However, overall, the evaluation of the 110-page proposed Privacy Shield framework is generally negative. The WP29 appears to doubt that the protection that would be offered by the Privacy Shield is essentially equivalent to that of the EU.
Even though there are numerous positive comments, such as acknowledgements that many of the shortcomings of the Safe Harbor were addressed in the proposed framework, the general tone of the WP29 is critical of the end result. The concerns expressed in the WP29 Opinion include, for example, lack of consistency with the EU data protection, insufficient coverage of the massive collection of information. They also point to more basic issues such as inconsistencies among provisions, and lack of clarity caused by the structure and composition of the document.
It remains to be seen the extent to which the EU Commission will be able to address these concerns, identify appropriate solutions and provide the requested clarifications in order to improve the proposed documents. The viability of the Privacy Shield remains in question.
With the negative opinion issued by the WP29, a very influential body of the European Union, it becomes uncertain whether, and when, a stable and final draft will be completed. Assuming such framework may reach a form that is satisfactory to both sides, it would also need to be implemented. Once the final draft is approved and voted on, it will need to be implemented. At a minimum, a new infrastructure, a website, and additional personnel will be needed to make it operational.
Six months after the CJEU invalidated the EU Commission decision that had created the EU-US Safe Harbor, cross Atlantic data transfers are still in limbo. There is still no simple, business friendly solution to addressing the stringent prohibition against cross border data transfers between EU/EEA entities and US based companies.
US companies that had built their operations and business models around the simple and easy to use EU-US Safe Harbor; assuming that they have not already done so, need to address the legality of their cross border data transfers. With no light, so far at the end of the tunnel, it is urgent that they evaluate and implement means to address the stringent restriction against cross border data transfers in effect in the European Union and European Economic Areas, that they understand and address the needs of their counterparts in the EU/EEA region, in order to minimize the risk of enforcement action against the European entities.