Article 29 WP releases its opinion on the EU-U.S. Privacy Shield

14. April 2016

The Article 29 WP, represented by the DPAs from the EU Member States, issued yesterday its opinion on the proposed draft of the EU-U.S. Privacy Shield.

Background

Under the Safe Harbor framework, personal data transfers from the EU to the U.S. have been carried out since the year 2000. In October 6th, 2015, the ECJ declared this framework invalid, as it considered that it did not ensure enough safeguards regarding the protection of personal data from EU citizens. In February 2016, the EU Commission and several American Authorities drafted the new framework that shall replace the Safe Harbor Agreement. The draft has been now analyzed by the EU DPAs, who remark the necessity to clear and define some concepts.

Critical aspects of the EU-U.S. Privacy Shield identified by the Article 29 WP

The Article 29 WP does not believe that, in general terms, the current draft of the Privacy Shield ensures a level of data protection equivalent to that in the EU. The most relevant aspects of the published document could be summarized as follows:

  • Data retention periods are not defined in any of the principles of the framework. This means that companies could keep personal data even if they do not renew their Privacy Shield membership. This contravenes the principle of data retention limitation according to EU data protection legislation.
  • The scope and definition of the purpose limitation concept is described under the notice, the choice and the data integrity and purpose limitation principles. However, in each of these principles is the purpose limitation principle differently defined, what leads to an inconsistent definition of this concept.
  • Also the concept of onward transfers has been critically analyzed by the Article 29 WP. Under this principle, Privacy Shield members may legitimately carry out data transfers to third parties. This involves the risk that the recipient of the data does not ensure the same level of data protection as stipulated according to the EU data protection legislation.
  • The redress mechanism available for EU data subjects may be too complex for the data subjects themselves. The Article WP29 recommends that the local DPAs represent the data subjects or act as intermediaries so that they can exercise their rights in Europe.
  • Finally, the Privacy Shield includes certain guarantees regarding the surveillance activities by U.S. authorities. However, the massive collection of personal data from EU citizens is not fully excluded. Regarding this, the institution of the Ombudsman has been created. According to the Article 29 WP, its functions and legitimation are not sufficiently defined.

The Working Party has requested the EU Commission to clarify these aspects and adopt the corresponding solutions, so that the Privacy Shield ensures an equivalent level of data protection to that in the EU. Particularly, it has recommended to introduce a glossary of terms in the “Privacy Shield FAQ” and a review of the Privacy Shield draft after the GDPR becomes effective, in order to ensure that the Privacy Shield reflects the level of protection reached by the GDPR.

What next?

Since the opinion of the Article 29 WP is not binding, the EU Commission could proceed further with the approval of the EU-U.S. Privacy Shield. However, it will consult a Committee of representatives of the EU Member States before issuing its final decision. Until a final decision is reached, the mechanisms to carry out international data transfers are limited to Binding Corporate Rules and Standard Contractual Clauses.