Originally published by: Canadian Lawyer Online - IT Girl Column
Following two years of intense negotiations, in February 2016,
the European Commission and United States governments unveiled the
replacement to the U.S.-EU Safe Harbor Framework, the EU-U.S.
Privacy Shield, to much fanfare and relief.
Prior to October 2015, U.S. companies that wanted to protect the
data of EU citizens chose to comply with the requirements of the
Safe Harbor. However, on Oct. 6, 2015, the Court of Justice of the
European Union declared the Safe Harbor to be invalid, prompting
frantic efforts to develop a replacement framework for
transatlantic data transfers that would ensure that any transfer of
personal information of EU citizens to U.S. companies would meet
equivalent data protection standards to those standards that exist
in the EU.
On Feb. 29, 2016, the European Commission released a draft adequacy
decision and the legal texts that form the proposed Privacy Shield,
including written assurances from the U.S. government to enforce
the agreement and the so-called Privacy Shield Principles that will
bind participating U.S. companies.
Unfortunately, certain pesky European privacy regulators appear to
have thrown a monkey wrench into this process. The Article 29
Working Party, an influential committee of EU privacy regulators,
recently conducted its own assessment of the Privacy Shield and on
April 13 released a statement and opinion on it.
While lauding the "significant improvements" of the
Privacy Shield compared to the Safe Harbor decision (including
mechanisms to ensure oversight of the Privacy Shield and mandatory
compliance reviews), the working party nonetheless expressed
"strong concerns" about both the commercial aspects and
the access by public authorities to data transferred under the
Privacy Shield.
The key objections raised by the working party are as
follows:
1. Overall lack of clarity. As the Privacy Shield
consists of various sets of documents, the working party complained
that the principles and guarantees are set out in the EU adequacy
decision and in the annexes, making the information both difficult
to find and, at times, inconsistent.
2. Missing data protection principles. The working
party review also found that some key data protection principles
contained in European law are not reflected in the draft adequacy
decision and the annexes or have been inadequately substituted.
These include the application of purpose limitation on data
processing and data retention principles.
The working party also noted the absence of adequate language
regarding data transfers outside the U.S. to third countries and
confirmed that such transfers should still provide the same level
of protections on all aspects of the Shield (including national
security) and not lead to lower or the circumvention of EU data
protection principles.
3. Complex redress mechanism. Under the proposed
Privacy Shield, the U.S. will implement an ombudsperson mechanism
through which the ombudsperson will handle complaints of EU
individuals regarding unauthorized access of their personal
information by national intelligence authorities.
While the working group noted that additional resources will be
made available to individuals to exercise their rights, they are
concerned that the new redress mechanisms are too complex for EU
individuals in practice (especially given language differences) and
will therefore be ineffective. The working party suggests instead
that national EU data protection authorities (assuming they are
willing) could serve as natural contact points for EU complainants,
acting on their behalf.
4. Ongoing access by public authorities to data
transferred under the Privacy Shield. Politely put, the working
party is not convinced that the representations of the U.S. Office
of the Director of National Intelligence provide sufficient details
to forestall/exclude against the massive and indiscriminate
collection by U.S. authorities of personal data originating from
the EU, basically through spying/surveillance activities (the
Privacy Shield itself does contain certain national security
exemptions).
The working party commented that it is carefully monitoring a
forthcoming ruling by the Court of Justice of the European Union on
the validity of the United Kingdom's Data Retention and
Investigatory Powers Act, which requires telecommunications
providers to collect and store customer communications data and
disclose it to law enforcement under certain provisions and the
proposed draft investigatory powers bill.
5. Lack of independence of the ombudsperson. While
the working party liked the idea of the establishment of the U.S.
ombudsperson to handle complaints, it still raised concerns that
the new institution would not be sufficiently independent and is
not vested with adequate powers to effectively exercise its
duty.
The working party also noted the Privacy Shield will have to be
reviewed after the adoption of the new General Data Protection
Regulation in 2018 in order to ensure that the higher level of data
protection offered by the regulation is followed in the Privacy
Shield.
Given the gaps found, the working party urged the commission to
resolve these concerns in order to improve the draft adequacy
decision and ensure that the Privacy Shield offers equivalent
protections to that of the EU.
The working party, which was set up under the 1995 directive on the
protection of personal data, is purely advisory, and the European
Commission is not obliged to follow its advice. However, as it
consists of data protection authorities from EU member states, the
European Data Protection Supervisor, and a representative from the
European Commission, it nonetheless has heft and the commission and
member states will face pressure to listen to the working
party's complaints.
Adding possible fuel to the fire will be another opinion that is
coming from the so-called article 31 committee, consisting of
representatives from the member states. That committee is expected
to consider the Privacy Shield at upcoming meetings on April 29 and
May 19 before issuing its opinion.
The commission will then have to determine whether it will try to
amend the Privacy Shield to address the concerns raised by the
working party and the article 31 committee, balancing against its
desire to enact the Privacy Shield, ideally by June.
In the meantime, the binding corporate rules and model standard
contractual clauses, the alternative legal tools that many
companies adopted following the death of Safe Harbor for their
U.S.-EU data transfers, remain valid and can continue to be used.
Luckily, the working party has declined to comment on these
mechanisms — for the time being.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.