EU-U.S. Privacy Shield Still Needs Work, Says Committee of European Privacy Regulators
On April 13, 2016, the Article 29 Working Party, comprised of European data protection regulators, issued its opinion on the European Commission’s proposed EU-U.S. Privacy Shield. The Working Party commended the European Commission for the improvements to the data transfer regime over that of the recently invalidated Safe Harbor program, but noted that the draft adequacy decision still needs work. The Working Party’s concerns center on three issues: (1) the perceived lack of clarity of the Privacy Shield documents, (2) the implications of the commercial aspects of the Privacy Shield proposal, and (3) the access to data transferred under the Privacy Shield by the U.S. government. Further, the Working Party notes that because the General Data Protection Regulation (“GDPR”) has not yet entered into force, the Privacy Shield draft adequacy decision does not yet accurately reflect the environment in which it will exist, and further review will be necessary once the GDPR is in place.
The Shield’s Governing Rules Lack of Clarity in Important Areas
The Working Party expressed frustration with the fact that important provisions in the current wording of the Privacy Shield lack clarity. Of chief concern to the Working Party is that the principles and guarantees of the Privacy Shield are spread out between both the adequacy decision and its various annexes, making them hard to find. Further, the Working Party is frustrated by what it perceives as the use of inconsistent terminology that could cause confusion on both sides of the Atlantic, and has called for the Commission to create a separate annex to define core terms and to uniformly apply those terms in the adequacy decision. The Working Party calls for clarification, as “[a] common and unambiguous understanding of the obligations imposed by the Privacy Shield adequacy decision is crucial for its effective functioning on both sides of the Atlantic.”
More Safeguards are Needed Regarding the Commercial Use of Transferred Data
With respect to the commercial aspects of the Privacy Shield proposal, the Working Party identified areas of concern that it wishes the Commission to address in order to protect European citizens. The Working Party asks that the Commission address the following items it has identified as providing inadequate protections:
- The Working Party argues that the Privacy Shield Principles do not clearly delineate between provisions that do or do not apply to data processors, resulting in the granting of rights to processors under the Privacy Shield that should remain in the hands of the data controllers under EU law.
- The draft adequacy decision lacks analysis regarding the applicable federal and state laws in the U.S. and their impact on the enforceability of the promises made in the Privacy Shield Principles, and the Working Party calls upon the Commission to include an analysis of the exemptions permitted by these laws.
- The Commission is called upon to incorporate a data retention limitation principle, requiring the deletion of data after it is no longer necessary, as the Working Party has concluded that no such principle exists in the Privacy Shield Principles.
- The Working Party asks that safeguards be set in place to protect individuals in instances where automated processes are used to evaluate personal aspects of an individual (for example, to determine creditworthiness, work performance, etc.).
- As currently drafted, the Privacy Shield framework provides for an interim period by which entities certifying that they are Privacy Shield-compliant may bring their pre-existing business relationships into conformity with the relevant onward transfer principles. The Working Party has found this interim period to be unacceptable, as data shared during this interim period is not afforded the full protections of the Privacy Shield provisions.
- With respect to onward transfers of data, the Working Party notes the potential for such data to be transferred to organizations and countries that do not offer sufficient protections for personal data, and therefore calls for any Privacy Shield organization conducting such onward transfers to conduct considerable due diligence and undertake certain obligations to ensure the security of EU citizens’ data.
- Finally, the Working Party makes various suggestions on preferable approaches to specific issues related to commercial data transfers that it wishes to be adopted in the documents constituting the Privacy Shield. These issues include transparency, choice mechanisms, right of access, correction, and erasure, and redress mechanisms, among others.
Government Access Should be Guided by Essential Guarantees
Considering the practices of U.S. national security and law enforcement agencies, the Working Party recognizes that “[i]nterferences with the fundamental rights to private life and data protection may be allowable, provided that such interference is justifiable in a democratic society.” In order to be “justifiable in a democratic society,” the Working Party argues that such interferences must be conducted pursuant to four essential guarantees:
- Processing should be in accordance with the law and based on clear, precise, and accessible rules.
- Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated.
- An independent oversight mechanism should exist.
- Effective remedies need to be available to the individual.
The Working Party considered these essential guarantees in the context of applicable U.S. laws and executive orders, including the Judicial Redress Act, the Foreign Intelligence Surveillance Act, and the Fourth Amendment of the U.S. Constitution, and, while heartened by the progress made, still is concerned that the essential guarantees are untenable in the current legal environment. In particular, the Working Party lauds the establishment of a Privacy Shield Ombudsperson, created to ensure that all laws are complied with in instances where a European citizen is targeted for surveillance, and in the event of non-compliance to ensure that the issue is remedied. As with the application of the essential guarantees to the Privacy Shield arrangement, the Working Party has concerns that the Ombudsperson mechanism will not truly be effective to properly provide redress for impacted European citizens.
The Working Party’s Conclusions
While the Working Party sees the Privacy Shield as a step in the right direction, the flaws in the proposal, as defined by the Working Party, raise concerns as to the enforceability of the proposal as a whole. The Working Party highlights three issues as “major points of concern… that in the view of the [Working Party] will need to be addressed:” (1) Data deletion is not currently required when the data is no longer necessary, (2) the U.S. administration does not fully exclude the collection of massive and indiscriminate data, and (3) the role of the Ombudsperson is not clearly defined to ensure it is truly independent and possesses the powers to offer effective oversight and redress. In addition to asking the Commission to address these core concerns, the Working Party also seeks clarification and further information regarding the various aspects of the draft adequacy decision that the Working Party identified throughout its opinion.
The Working Party has long held firm that a permissible data transfer mechanism may only exist where European citizens’ data will be treated in a manner that is essentially equivalent to the protections afforded within Europe. The Working Party has gone on record to state that if the Privacy Shield Principles are not updated to ensure such protections apply to data transfers under the Shield, a legal challenge to the Shield’s adequacy before the Court of Justice of the European Union cannot be ruled out. In fact Max Schrems, whose court challenge to the Safe Harbor led to its invalidation, has already signaled his readiness to challenge the Shield.
What This Means
At this point, the Working Group’s opinion largely serves to highlight issues it sees with the proposed Privacy Shield framework, but does not create obligations or inform much by way of policy and procedure changes that entities involved in trans-Atlantic data transfer should put in place. Although the Working Party’s opinion is only advisory, it does put pressure on the Commission to make changes in the Privacy Shield proposal. This may result in the Commission asking the Department of Commerce to place more obligations on organizations that use the Shield. Concerns about a lack of clarity in some documents defining the new framework can probably be easily addressed by the Commission as part of a final adequacy decision. However, continuing concerns about the U.S. government’s access to transferred data may be more difficult for the Commission to address. Before finalizing its opinion, the Commission still waits on the Article 31 Committee, consisting of representatives from Member States, to submit its opinion, which is not expected until after the committee’s next two meetings on April 29 and May 19, 2016. Whether or not the Working Party’s concerns will be addressed and what the Working Party’s response to such action by the Commission (and any independent response by individual national privacy regulators) remains to be seen. For now, the key takeaway from the Working Party’s opinion appears to be the group’s viewpoint that the Privacy Shield framework is a step in the right direction, but does not yet pass muster with all of the protections of European privacy law. Unfortunately, the Privacy Shield remains a work in progress for the immediate future.