On 14 April 2016, the Article 29 Working Party, an independent European advisory body on data protection and privacy comprised of a representative of the national data protection authorities of the European Union Member States, the European Data Protection Supervisor and the European Commission (the "WP29"), issued an opinion on the European Commission's Adequacy Decision on Privacy Shield (the "Opinion"). The Opinion notes that the Privacy Shield regime introduces many welcome improvements and is a "large step forward" for data protection.

However, the Opinion identifies significant concerns with the proposed arrangement. In particular, the Opinion highlights issues regarding the possibility of bulk personal data collection of European citizens by US security agencies and uncertainty over the effectiveness of the powers conferred on the new position of Privacy Shield Ombudsperson. 

The Opinion urges further analysis, negotiation and (re)drafting of the Privacy Shield so as to vindicate the fundamental rights accorded to European citizens under the framework of the Data Protection Directive and Charter.  In the meantime, the WP29 confirmed the validity of the continued use of model clauses and binding corporate rules for data transfer.

In the wake of the judgment of the Court of Justice of the European Union in Schrems (See, VBB on Belgian Business Law, Volume 2016, No. 2, p. 8, available at www.vbb.com), the Opinion is an important part of the ongoing regulatory discussion as to how European rules will ensure 'adequate' protection of personal data for individuals and companies.  The Opinion's content reflects the renewed vigour of the WP29 to enforce European data and privacy rights by urging improvements to the current agreement.  Although the Opinion is not binding for the European Commission, further developments are expected to occur prior to the adoption of the Privacy Shield, which is still scheduled for June 2016.

WP29 publish document concerning European essential guarantees

Separate to the Opinion, WP29 took the opportunity to adopt a working document outlining its understanding of when interference with the fundamental rights to privacy and data protection may be justified.  On the basis of case law of the Court of Justice of the EU and the European Court for Human Rights, the WP29 identified four guarantees: (i) clear, precise and accessible rules should underpin any processing of data; (ii) necessity and proportionality with regard to the legitimate objectives pursued have to be demonstrated; (iii) an independent oversight mechanism should exist; and (iv) effective remedies have to be available to the individual.  Together, these guarantees must be satisfied in order to comply with data protection standards under European law. Thus, the essential guarantees offer a useful prism by which national data authorities may in future assess the functioning of the Privacy Shield.

WP29 raise a number of significant concerns regarding Privacy Shield

The Opinion acknowledges that, in its current format, the Privacy Shield is an improvement over the Safe Harbour regime and commends the European Commission and the US Government for the efforts undertaken to date.  These improvements include that certain terms such as 'personal data', 'processing' and 'controller' are now given precise meanings. This was not formerly the case under Safe Harbour.  The Opinion also acknowledges the increased transparency in the information that is given by companies (the Notice Principle) and the intelligence services' regulatory environment in the US.

Conversely, the Opinion identifies a number of areas in which the Privacy Shield requires further work by the European Commission:

  • Security Exceptions Are Overly Broad:  According to the Opinion, the documents underpinning the Privacy Shield do not exclude the possibility of 'massive and indiscriminate collection of personal data originating from the EU'.  In the wake of the Snowden revelations, the WP29 are anxious to ensure that the Privacy Shield does not merely offer vague protections which allow national security agencies to bypass the protection of fundamental privacy and data protection rights.  The Opinion considers that US domestic rules apply to the processing of foreign personal data for intelligence purposes in an 'unclear and confusing' manner.  According to the WP29, the conditions upon which public authorities are empowered to resort to interception measures are difficult to identify such that US surveillance activity is not 'sufficiently foreseeable'.  It remains to be seen whether the European Commission is willing to re-open bilateral negotiations with its US counterpart in order to address such concerns.
  • Ombudsperson Powers are Unclear:  The adequacy of the proposed Ombudsperson's powers to provide effective redress to persons subject to surveillance, and the possibility for the Ombudsperson to remedy non-compliance, are concerns raised in the Opinion.  The WP29 urges to obtain further clarification of the provisions establishing this new office in order to ensure a sufficient degree of independence for the Ombudsperson and to enable the exercise of effective and continuous control of such oversight powers.
  • Lack of Clarity and Informal Nature of Establishing Documents:  Due to the convoluted nature in which the Privacy Principles are presented (the core protections of the Privacy Shield are contained across various documents and letters), the WP29 considers that the text is both difficult to navigate and at times inconsistent. The Opinion recommends the creation of an Annex of defined terms and consistent terminology to address these issues.
  • Other Concerns:  The WP29 raised various other concerns in its Opinion including, inter alia, the insufficient detail as to how the Privacy Shield applies to 'data processors' or other onward transfers; the lack of reference to a data retention limitation principle; and the absence of robust protection for individuals subject to automated processing of data.  The Opinion also raises specific concerns relating to human resources and pharmaceutical data under the Privacy Shield and deems that the recourse mechanisms are too complex.  The Opinion considers that further improvements can be made to the proposed text and that further review will be necessary in light of the new General Data Protection Regulation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.