EU Data Protection Authorities Adopt One-Year “Wait and See” Position On Privacy Shield

The Article 29 Working Party, on July 26, 2016 issued a statement on the final form of the EU-US Privacy Shield, which was formally adopted on July 12, 2016. Speaking at a press conference, Isabelle Falque-Pierrotin, chairman of the Article 29 Working Party, stated that the EU data protection authorities would not launch legal action of their own initiative in the next year but instead will wait until after the first annual review: “the first joint review will be a time in which we will make an evaluation of the Privacy Shield and also a time where additional propositions could be made … we want to be provided with additional clarification, additional evidence, possibly changes in the legislation.”

In assessing the impact of this statement, it must be noted that neither the Working Party nor its members (the DPAs) can launch direct legal action against the Privacy Shield. Only Member States and EU Institutions (such as the European Parliament) can submit such challenges. DPAs can only ask a national court, in the context of a pending dispute, to refer a question on the validity of the Commission’s Privacy Shield Decision to the Court of Justice of the European Union (CJEU).

Of course, if DPAs commit not to ask for such referrals for one year, that eliminates one source of “Privacy Shield validity questions”. However, the DPAs are not the only possible source of such questions. For example, a one-year test period would not prevent an individual in the EU from bringing a case with a built-in “Privacy Shield challenge” before DPAs, which they must decide with due diligence and which Mme. Falque-Pierrotin said data protection authorities will consider “on a case-by-case basis.” National courts deciding upon such cases can refer questions to the CJEU on the interpretation and on the validity of the Privacy Shield Decision. The courts can do so at their own initiative (and if the case ends up before the highest court of a Member State, that court may be obliged to refer questions of interpretation to the CJEU).

The position of the Article 29 Working Party in the annual review process will have legal consequences, because the Commission will have to carefully weigh the Article 29 Working Party position in determining whether to amend, suspend or repeal the Privacy Shield Decision.

In the first annual review, the Working Party also intends to consider U.S. government access to EU data in relation to binding corporate rules and the standard contractual clauses. If at that time “the situation is considered as OK … on the public security side, it is going to have an impact also on [these] other transfer tools by reaffirming their legal robustness,” Mme. Falque-Pierrotin said. Of course, these other mechanisms are designed specifically for use in data exports to countries that have not been deemed “adequate” by the EU, raising the question whether the Working Party would be singling out only the U.S. for special scrutiny – and not every other “non-adequate” country whose public authorities conduct surveillance without scrutiny of their safeguards.

In its statement, the Article 29 Working Party commends the Commission and U.S. authorities for having taken into consideration previous concerns raised by the Working Party in the final version of the Privacy Shield documentation. However, the Working Party identified concerns that remain:

• Commercial aspects – the Working Party remains unclear how the Privacy Shield will apply to processors and is concerned with the lack of specific rules on automated decisions and of a general right to object.
• Access by public authorities – the Working Party states that it would have expected “stricter guarantees” of the independence of and powers afforded to the Ombudsperson and regrets a “lack of concrete assurances” that mass and indiscriminate collection of EU personal data will not take place by U.S. authorities.

The Article 29 Working Party intends to take up these concerns at the first joint annual review, in May 2017, assessing whether these issues have been resolved and whether the safeguards provided under the Privacy Shield are effective in practice. In the meantime, the Article 29 Working Party plans “proactively and independently” to assist EU data subjects in exercising their rights under the Privacy Shield.

A noteworthy aspect of the Privacy Shield is that that financial institutions other than banks and insurance companies appear eligible to participate for both client and HR data. The letter that FTC Chairwoman Ramirez provided the EU in February 2016 in support of the Privacy Shield identified the limits on FTC jurisdiction as confined to banks, airlines, insurance companies and common carrier activities of telecom providers. Since the FTC asserts concurrent jurisdiction over financial institutions that are not banks or insurance companies, including non-bank subsidiaries of banks, broker-dealers and investment advisers, and over employers’ privacy and data security practices regarding employee HR data, neither the FTC nor the Commerce Department is likely to object if securities firms, non-bank subsidiaries of holding companies, and other non-insurance financial institutions want to consider joining the Privacy Shield this time around.

The Article 29 Working Party will be issuing guidance in relation to obligations under the Privacy Shield in the near future. Data protection authorities undoubtedly will be subjecting data transfers under the Privacy to scrutiny, reinforcing the more stringent nature of the Privacy Shield. Participating companies need to be well prepared to comply with its principles and implement its more detailed requirements. In addition to providing a legitimate basis to transfer data to the United States, the Shield will provide a visible way for companies to highlight their commitment to a high standard of data privacy practices.