European Union: Update On EU-US Transfer Of Data And The Proposed Privacy Shield

On 29 February the European Commission released its draft adequacy decision about the proposed Privacy Shield, which is intended to replace the invalidated EU-US Safe Harbor. While Microsoft stated on April 11 that they "pledged to sign up for the Privacy Shield," the European authorities have so far been much more skeptical.

• Article 29 Working Party
  On 13 April, the Article 29 Working Party issued an opinion indicating they had strong concerns with the draft and asked the Commission to identify solutions to address them.
• European Parliament
  On 26 May, the European Parliament voted a resolution which outlined the deficiencies of the draft Privacy Shield and invited the Commission to negotiate further improvements.
• EDPS
  On 30 May, the European Data Protection Supervisor (EDPS) published an Opinion in which it explained that the draft Privacy Shield as currently formulated "does not adequately include all appropriate safeguards to protect the EU rights of the individual to privacy and data protection also with regard to judicial redress". The EDPS made detailed recommendations about how to improve the draft. For example, it noted that the draft adequacy decision states that "personal information must be limited to the information that is relevant for the purposes of processing". However, according to the data minimization principle, personal information must beadequate and not excessive or limited to the information that is necessary for the purposes for which they are collected and/or further processed.
• Article 31 Committee
  The 1995 Data Protection Directive provides that the Article 31 Committee (which is made up of representatives of all European Member States) must also issue an opinion on the draft adequacy opinion. It has been reported that members of the Committee were unable to reach an agreement at the meeting of May 19, but that further meetings will take place in June. The opinion of the Article 31 Committee is a very important step. It must be delivered by a qualified majority (16 Member States representing at least 65% of the European Union population) and if the opinion is negative, the Commission must defer application of the decision for three months and within that same period of time the Council may take a different decision (which is unlikely in this particular case since the Privacy Shield is the outcome of negotiations that were conducted between US authorities and the Commission).

The opinions issued by the Article 29 Working Party and the EDPS are not binding, but would obviously have a certain weight if the Privacy Shield was to be challenged before the European Court of Justice. Additionally, the EDPS pointed out that the Privacy Shield would be a short-term solution since it is not compliant with the new General Data Protection Regulation which will enter into force in May 2018.

All these negative reactions from EU authorities have led businesses and commentators to question whether the Commission will be able to reach a final Privacy Shield Agreement and, if such an agreement is reached, whether it will be reliable and workable.

To view Foley Hoag's Security, Privacy and The Law Blog please click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.