The Article 29 Working Party (The Working Party), which includes representative data protection authorities from each EU member country and the European Data Protection Supervisor, issued a 58-page opinion yesterday that flagged perceived shortcomings of the draft EU-U.S. Privacy Shield (Privacy Shield). Privacy Shield was slated to replace the now defunct Safe Harbor, and is the updated framework designed to permit organizations to legally transfer EU personal data to the United States. Taking into account applicable law, the recent European Court of Justice decision in the Schrems case, and the current international context, the Working Party praised the improvements of Privacy Shield, but criticized its overall lack of clarity and accessibility.
The Working Party identified these key points of particular concern:
- Material Omissions: Key data provisions, such as the Data Integrity and Purpose Limitation principal, are not reflected in draft adequacy decision. To cure this deficiency, the Working Party recommended a glossary of terms and definitions in the Privacy Shield F.A.Q.
- Bulk U.S. Government Data Collection: The U.S. representations do not exclude bulk, indiscriminate personal data collection originating from the EU. The Working Party opinion recommended further safeguards to ensure interferences caused by U.S. surveillance programs are necessary in a democratic society.
- Ombudsman Details: The powers and position of the new Ombudsperson are not detailed. The U.S. had committed to an new Ombudsperson who would be independent from the U.S. intelligence authorities and serve as an oversight mechanism for national security interference. The Working Party recommended further clarification on the position and powers of this new Ombudsperson.
- Clarity on Accountability Process: The annual joint review mechanism lacks clarity regarding the precise arrangements of the parties. Under the adequacy decision, the annual joint review mechanism would ensure U.S. accountability to commitments through an annual review by the European Commission and U.S. Department of Commerce and would involve Data Protection Authorities, U.S. national security authorities, and the independent Ombudsperson, where appropriate. The Working Party recommended and welcomed agreement on the elements of the joint review well in advance of the first review.
Now that the Working Party has issued this opinion, the European Commission is likely to incorporate many of the proposed changes into a revised adequacy decision for approval by the Commission. To that end, Commissioner Jourová stated that “the Commission will work to swiftly include [the regulators’ useful recommendations] in its final decision.” While the Commission has the discretion to proceed on the current draft adequacy decision, the Data Protection Authorities maintain the authority to investigate and ultimately restrict data transfers where a non-EU country does not meet the “adequacy” standard for privacy protection under EU law.