On April 13, the Article 29 Working Party announced that it had completed its assessment of the EU-U.S. Privacy Shield documentation. The announcement was followed by the release of a 58-page Opinion on the European Commission’s draft adequacy decision on the Privacy Shield.
During the press conference, Working Party Chairwoman Isabelle Falque-Pierrotin stated that the Privacy Shield was in general a “great step forward” and contained a number of “major improvements” as compared to the now invalid Safe Harbor. However, the Chairwoman also expressed concern in a number of areas where clarification is required. In addition, she commented on the complexity of the Privacy Shield documentation.
In response to questions raised during the press conference, the Working Party Chairwoman confirmed that, for the time being, the other international data transfer tools (i.e., EU Standard Contractual Clauses and Binding Corporate Rules) would remain valid at least until the Commission issues its final adequacy decision.
The Commission will now consider the concerns raised by the Article 29 Working Party and may seek clarification from the U.S. authorities to address the points raised by the Working Party. A final adequacy decision is expected in June 2016.
- The Working Party does not categorically reject the draft adequacy decision supporting the Privacy Shield. Its criticisms are relatively contained and mild, and it repeatedly acknowledges significant improvements over the Safe Harbor with regard to commercial privacy issues.
- Regarding government surveillance, the Working Party does not attempt to compare or contrast U.S. safeguards, checks and balances, oversight and legal redress to those in effect in the EU Member States and, in the commercial arena, does not consider the significant changes in U.S. privacy and data protection since the time of the initial Safe Harbor decision.
- However, the Working Party acknowledges that substantial oversight of surveillance and government access is in effect in the U.S., including independent bodies such as courts, the Privacy and Civil Liberties Oversight Board (PCLOB) and congressional committees.
- The Working Party appears to suggest it could support the adequacy decision for the Privacy Shield if the Commission provides for a number of clarifications and greater consistency in terminology.
- In particular, the Working Party calls for additional clarity regarding onward transfer requirements and application of the Privacy Shield to data processors in the U.S. (as opposed to controllers).
- The Working Party would like to see specific references to certain EU data protection rights relative to limits on data retention and automated decision-making that affects individuals. As a general matter, the Working Party appears to be looking for more prescriptive detail in how the Privacy Shield will be implemented, similar to the way EU law operates.
- The Working Party criticizes the complexity of the various legal redress mechanisms contemplated under the Privacy Shield for commercial data transferred to the U.S. The Commission and Department of Commerce may therefore wish to outline the different stages of the recourse process more clearly.
- The Working Party found that the legal authorities for the conduct of U.S. national security and law enforcement surveillance were relatively clear and transparent, though they had some questions as to how surveillance conducted under EO 12333 is limited to collection outside the U.S. and precisely what constitutes “signal intelligence” subject to the protections granted to EU individuals under PPD-28.
- The Working Party criticized the new State Department “Ombudsperson,” which is intended to respond to government surveillance concerns, for not being a sufficiently independent tribunal or empowered to adjudicate disputes. However, the Ombudsperson is intended to help facilitate resolution of concerns rather than serve as a quasi-judicial forum, a role modeled on that played by the Italian Garante or French CNIL with respect to government surveillance. The Working Party otherwise acknowledges that the U.S. has robust and transparent oversight of surveillance.
- The Working Party would also seek greater assurance regarding U.S. intentions to desist from future mass and indiscriminate surveillance, but the Working Party does not attempt to compare or contrast U.S. targeting and collection practices to those of the EU Member States.
All in all, the Working Party Opinion published following the press conference is detailed and thoughtful, providing a pathway for refinement and ultimate approval of the Privacy Shield.
The Working Party Opinion addresses the assessment of the Privacy Shield as two separate work streams: (i) the commercial aspects and (ii) the possible derogations to the principles of the Privacy Shield for national security, law enforcement and public interests purposes.
In its Opinion, the Working Party highlighted a number of “significant improvements” as compared to the Safe Harbor framework, including the new provisions for onward transfers. The Working Party further expressed satisfaction that many of the shortcomings of the Safe Harbor framework previously identified by the Working Party were addressed in the Privacy Shield.
However, the Working Party was concerned that a number of EU data protection principles are either “not reflected or have been inadequately substituted” in the Privacy Shield documentation. For example, the Working Party commented that the data retention principle is not explicitly referenced, the onward transfer principle should include an obligation on participating companies to assess the adequacy of the national laws applicable in a third country, and the redress mechanisms set out in the Privacy Shield – although numerous – are too complex. The Working Party is of the opinion that the EU data protection authorities should be the point of contact in the various redress mechanisms. The Working Party also suggests including a review clause in the Commission’s adequacy decision in order to take into account the changes to be introduced under the EU General Data Protection Regulation, which will apply from 2018.
Access by Public Authorities
In its assessment of the protection afforded to EU citizens in relation to access to data by public authorities, the Working Party referred to the “European Essential Guarantees,” an EU standard for surveillance which has been extracted from EU jurisprudence on fundamental rights. The four essential guarantees (similar to those distilled in the Sidley “Essentially Equivalent” report in January) are set out in the Working Document accompanying the Working Party’s Opinion and are as follows: (i) processing should be based on clear, precise and accessible rules; (ii) necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated; (iii) an independent oversight mechanism should exist; and (iv) effective remedies need to be available to the individual.
The Working Party Opinion concludes that these European Essential Guarantees should not be assessed independently but on an overall basis, reviewing the legislation in relation to data collection for surveillance, the minimum level of safeguards for the rights of data subjects, and remedies under national law in that country. These Guarantees are based on fundamental rights that apply to everyone, notwithstanding their nationality, and to surveillance legislation in EU Member States.
In its Opinion, the Working Party acknowledges the “considerable step” taken in extensively addressing access to data processed by public authorities under the Privacy Shield, together with the increased transparency offered by the U.S. administration on legislation applicable to intelligence data collection. However, the Working Party identified two key concerns in this respect:
1. Massive and indiscriminate data collection – The representations offered by the U.S. Office of the Director of National Intelligence do not exclude massive and indiscriminate collection of EU personal data. The Working Party acknowledges the growth of data collection on a mass and indiscriminate scale in light of the fight against terrorism but described the “lock-in” of bulk collection under the Privacy Shield as “unacceptable.” The opinion acknowledges that the legal limits of bulk collection have been resolved in EU jurisprudence, and the Working Party awaits the forthcoming rulings of the Court of Justice of the European Union in cases that may define massive and indiscriminate collection.
2. The Privacy Shield Ombudsperson – The Working Party Chairwoman described the establishment of an Ombudsperson as “great progress” but raised concerns as to its independence and the fact that it is not vested with adequate powers to effectively exercise its duty and does not guarantee a satisfactory remedy in case of disagreement (all requirements of the Schrems ruling). The Opinion states that the Working Party “cannot come to the conclusion” that the Ombudsperson will have the power and independence the Working Party deems necessary to comply with the EU legal order.
The Working Party now urges the Commission and the U.S. authorities to “resolve [the concerns raised by the Working Party], identify appropriate solutions and provide the requested clarifications in order to improve the [Commission’s] draft adequacy decision and ensure the protection offered by the Privacy Shield is indeed essentially equivalent to that of the EU.”