The Article 29 Working Party (WP29) has delivered a non-binding opinion on the EU-U.S. Privacy Shield which, though critical of the proposed package, leaves open the possibility that a version of the proposed framework will be blessed by the EU Commission. This would come in the form of an “adequacy decision,” which is necessary for the framework to be implemented. The fact that the Privacy Shield has not been rejected outright by the Member State data protection authorities comprising WP29, as some rumors had suggested, will come as a great relief to many transatlantic companies.
Nonetheless, WP29 has raised a number of difficult points for the Commission to consider. In particular, the national authorities have asked for clarification on several issues relating to commercial application of the EU data protection rules and implementation of the national security derogations, including:
- implementation of rules relating to data retention (deletion), purpose limitation, decision-making based solely on automated processing, and onward transfers;
- effective recourse and redress by EU data subjects;
- the powers and independence of the ombudsman tasked with protecting EU citizens’ privacy rights before the U.S. national security agencies;
- assurances on use of the bulk data collection process; and
- concerns over whether the agreement will be upheld and enforced by the U.S. side despite the relative informality of the U.S. approval process for the package.
The WP29 opinion also observes that the Privacy Shield framework will need to be reviewed in two years’ time in order to analyze whether it complies with the new General EU Data Protection Regulation.
Although the negotiations over the Privacy Shield have been arduous, the publicity has certainly raised the level of awareness on the part of U.S. companies doing business in Europe as to the importance of the EU data protection rules. Most companies want to do the right thing, but many have been frustrated by the lack of a clear path to legitimizing their data flows to the U.S., particularly in cases where other alternatives are not workable. Today’s WP29 opinion may delay the process of finalizing the Privacy Shield agreement, but it appears that the EU Commission is now prepared to move forward with an adequacy decision approving some version of the package in due course.
For further information, please feel free to call any of the following members of our Data Privacy & Cybersecurity team