EU-US Privacy Shield close to an end after WP29 review?
The EU-US Privacy Shield was subject of several concerns by the Article 29 Working Party that if unresolved might lead to its future invalidation.
The end of the Safe Harbor and the birth of the Privacy Shield
Everyone knows the story about the invalidation of the Safe Harbor program regulating the transfer of personal data between the EU and the US and its subsequent replacement with the EU-US Privacy Shield.
As provided by the terms of the decision of adoption of the Privacy Shield, this has now been subject of the first review by 8 representatives of the Article 29 Working Party (WP29) that now published their findings.
The WP29 concerns on the Privacy Shield scheme
The WP29 showed an appreciation for the improvements achieved through the Privacy Shield, if compared with the scenario in place at the time of the Safe Harbor. However, it also raised significant concerns such as:
- the lack of guidance and clear information on the principles of the Privacy Shield
- on onward transfers that raises issues on what happens to personal data of EU citizens when it reaches the US and is further transferred by a Privacy Shield certified entity and
- on the rights available recourse and remedies for data subjects that is impacted also by
- the current lack of appointment of the Ombudsperson and of definition of its rules which are seen as a key element to seek effective redress before court.
- the need to make improvements on
- the interpretation and handling of HR data which if unresolved might have a significant impact on US multinational groups with a presence in the EU and on
- the rules governing automated-decision making/profiling for which better guarantees shall be given;
- the necessity of implementation of a more proactive and regular monitoring of companies’ compliance with their Privacy Shield obligations by the U.S. Department of Commerce; and
- the current insufficient evidence on commitments taken in relation to the collection and access of personal data for national security purposes which was the main reason that led to the invalidation of the Safe Harbor program and in order to monitor the compliance with such commitments the Privacy and Civil Liberties Oversight Board (PSLOB) shall be quickly appointed.
What’s next? A threat from the WP29?
The conclusions from the Article 29 Working Party sound like a sort of “warning” to EU and US authorities. Indeed, European Data Protection Authorities urged the EU Commission and the U.S. competent authorities to restart discussions adopting an action plan to address all the raised concerns.
In particular, they requested that by the 25th of May 2018, when the EU General Data Protection Regulation is going to become binding, at least
- an independent Ombudsperson should be appointed and its rules of procedure shall be further explained and
- the PCLOB members should be also appointed
while the other elements of concern shall be addressed at the latest at the second joint review.
However, if the issues raised by the WP29 are not remedied by the deadlines above, they threatened to take appropriate action, including bringing the Privacy Shield Adequacy decision to national courts for them to make a reference to the European Court of Justice which might lead to an invalidation.
As usual, if you found this article interesting please share it on your favourite social media.
WRITTEN BY GIULIO CORAGGIO
IT, gaming, privacy and commercial lawyer at the leading law firm DLA Piper. You can contact me via email at firstname.lastname@example.org or email@example.com or via phone at +39 334 688 1147.