European data protection regulators have broadly welcomed the
EU-US Privacy Shield proposals but say that despite substantial
progress, the European Commission has more work to do.
What's the issue?
In October 2015, the Court of Justice of the European Union cast
the future of data transfers from the EEA to the USA into doubt
after striking down the Safe Harbor regime and indirectly
questioning the validity of other data export tools. In early
February 2016, the European Commission announced agreement of a new
EU-US Privacy Shield to replace Safe Harbor and published draft
proposals. The announcement was greeted with cautious optimism by
businesses and with slightly less optimistic caution by regulators
who said they needed to review the details before reaching a
What's the development?
The Article 29 Working Party (WP), comprised of European data
protection regulators, has delivered its opinion on the EU-US
Privacy Shield. It has welcomed the progress made as a "great
step forward" but has stopped short of endorsing the current
Dividing its opinion into commercial and national security
issues, the WP considers that the current proposals are difficult
to understand, overly complex and contain causes for concern and
the need for further clarification. On this basis, it urges the
Commission to continue negotiations with the USA and says it still
has work to do to ensure that any adequacy decision really does
provide EU personal data transferred to the USA with a level of
protection equivalent to that in the EU.
What does this mean for you?
The European Commission is not bound by the WP's views and
will almost certainly proceed towards a decision of adequacy given
the political and commercial considerations. However, without the
backing of the regulators, the Privacy Shield is unlikely to give
any real comfort to businesses because regulators have the ability
to investigate data exports irrespective of any adequacy decision
by the Commission. During its press conference, the WP said it did
not know what would happen if the Commission were to go ahead with
the Privacy Shield as currently drafted.
The WP has said it will not give its views on the validity of
other data transfer mechanisms until the Commission has made its
final decision of adequacy on the Privacy Shield. It is clear that
for now, model contract clauses and BCRs for intra-group transfers
remain valid data export mechanisms to the USA and that transfers
taking place under the old Safe Harbor regime are illegal.
In other words, not much has changed.
The WP makes the following key observations on the current
Privacy Shield proposals:
the data protection principles are
inadequately reflected in the Privacy Shield. For example, the
purpose limitation is unclear and leaves open the possibility of
re-use of data and there is no mention of the data retention
the use of terms is inconsistent (for
example, what is meant by "processing" and by an "EU
the availability of recourse for EU
citizens in relation to the handling of their data has improved but
the system proposed is too complex and will be hard for individuals
to action. DPAs should be the natural point of contact in the event
of any issues;
there needs to be a review mechanism
to take into account the introduction of the GDPR.
National security aspects
the WP has set out four essential
guarantees required to comply with European jurisprudence in
relation to the processing of personal data for national security
processing must take place in
accordance with clear, precise and accessible rules so that a well
informed individual should be able to foresee what will happen to
necessity and proportionality must be
capable of being demonstrated;
there must be an independent
oversight mechanism which is effective, impartial and able to carry
out appropriate checks;
there must be effective remedies for
individuals before an independent body;
the main concern of the WP is that
bulk collection of personal data remains possible. Where this is
massive and indiscriminate, it is not acceptable;
the WP welcomes the progress made
with the introduction of the ombudsperson but is concerned that
there are insufficient guarantees about the status, powers and,
crucially, the independence of the role.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).