A Shield or not a Shield: That is the question!

1. The Shield does not have a data retention principle
   
   
2. The position on massive and indiscriminate collection of data for national security purposes is unclear
   
   
3. The legal remedies are insufficient, in particular the exact role, the independence and powers of the Ombudsperson (who will deal with national security related complaints) are not clear.

We will have to see if the Commission moves ahead with the Privacy Shield, notwithstanding the Working Party Opinion, or if it seeks to address the points raised and to modify the Shield.

The Opinion does not address other data transfer mechanisms (in particular Standard Contractual Clauses and Binding Corporate Rules). In its press conference, the Working Party noted that a position on these would be deferred and would be dependent on the Commission's next steps. In the press conference, the Working Party did note that at the moment these continue to be valid mechanisms for data transfer.

We will continue to monitor developments closely and update you on significant developments.

Background

In October 2015, in case C-362/14 (Schrems v Data Protection Commissioner), the CJEU ruled that the EU Commission’s Safe Harbor decision was invalid. On 29 February 2016, the European Commission published the text of a new framework for transatlantic exchanges of personal data known as the EU-US Privacy Shield. The Article 29 Working Party (consisting of a representative from each supervisory authority, the European Data Protection Supervisor and a Commission secretariat)  has been assessing the Privacy Shield documents and gave its opinion on 13 April.

Opinion

While welcoming Privacy Shield as a great step forward from Safe Harbor, the Article 29 Working Party raised a number of concerns with the framework. Significantly, the Article 29 Working Party will not examine the validity of SCCs and BCRs until after the Commission provides its adequacy decision on the Privacy Shield.

The Article 29 Working Party is not a law making body, but given its members are representatives of national data protection authorities of member states its opinion is highly persuasive. After this decision the Commission must decide whether to finalise its adequacy determination for the Privacy Shield in its current form, or return to the negotiating table taking on-board the comments of the Article 29 Working Party.

Organisations may be slow to adopt the Privacy Shield, if it comes into effect in current form. However, revising the draft of the Privacy Shield is only an option if the US is able to address the Article 29 Working Party’s two major concerns - the potential for continued mass surveillance and the powers and independence of the Ombudsperson.

US National Security Guarantees

Certainty and Foreseeability of Surveillance:

The opinion notes that the practical application of certain surveillance laws remains unclear from the Privacy Shield documentation. Law must be accessible and some of the underlying legal texts are classified.

Necessity and Proportionality:

The Shield documentation does not rule out massive and indiscriminate data collection by the US government. This remains a ‘major’ concern for the Article 29 Working Party, although the Working Party notes that, pending a decision from the CJEU on joined cases C-203 and C-698/16, there is no conclusive EU law on this yet.

Ombudsperson/Oversight:

The Privacy Shield provides a new mechanism for EU individuals to submit requests in relation to US intelligence access to a Privacy Shield Ombudsperson. The Article 29 Working Party has concerns about the independence of the Ombudsperson and whether he or she will have direct access to information, files and IT systems required to make assessments, and will have powers to compel agencies to guarantee a satisfactory remedy. Some agencies (e.g. the CIA) may fall outside the Ombudsperson's remit. The Working Party is also critical of other judicial remedies – due to the need to demonstrate harm; exclusions for national security in the Judicial Redress Act; and the fact that only US citizens can be protected by the Fourth Amendment (which protects from unreasonable searches and seizures).

Privacy Shield Principles

Omission of key principles:

Key European data protection principles are missing from the Privacy Shield including the data retention principle, ensuring data is deleted once the purpose for which it was collected or further processed becomes obsolete; and provisions guaranteeing protections from automated decision making with legal effect or significantly affecting individuals.

Onward Transfer Principle:

Privacy Shield holders should be put under an obligation to assess the adequacy of a third country prior to transfer. The Privacy Shield organisation should also be obliged to promptly notify any changes in the third country legislation which is likely to have a substantial adverse effect on the level of protection provided by the Privacy Shield.

Recourse Principle:

The redress principle has so many potential avenues that the Working Party thinks this makes it difficult for EU subjects to ascertain whom to approach with complaints. In order to overcome language barriers and lack of knowledge of the US legal system, the Article 29 Working Party further recommends that the Privacy Shield allow EU data protection authorities to represent EU data subjects and act on their behalf, or to act as an intermediary for the individual’s complaint.

Effective Date of Privacy Shield:

The Article 29 Working Party is not satisfied with the provisions allowing transitional arrangements whereby organisations that join the Privacy Shield within the first two months have nine months to bring arrangements with third parties into conformity with the Shield. Transfers should only take place from the moment of full compliance with the Privacy Shield Principles.

Notice & Choice:

More detail about the manner and timing of notice and choice should be included. There are inconsistencies between the choice and purpose limitation principles.

Agents:

The way the Shield Principles would apply to agents (or data processors in EU terms) is not clear. Not all Principles are relevant to processors: the Shield should make clear which apply and that processors may only follow instructions (including on onward transfer) from the controller which has appointed them.

Terminology and consistency:

Terminology is inconsistent, leading to lack of clarity and gaps in coverage. For example, it is not clear if rights will benefit all persons residing in the EU or EU citizens only. A glossary of terms is recommended.

Joint review:

There will be a joint review of the Shield by the US and EU. The Working Party would like more certainty of approach (and of funding for its part in this process), and would like this to be more thorough than the current reviews of transfer of Passenger Name Record data.

Exemptions to the Principles:

Without fuller knowledge of US law both at the Federal and state level, the Article 29 Working Party was not in a position to assess exemptions provided for national security, public interest, law enforcement, or following statute, government regulation or case law. The Working Party also requests a narrower journalistic exemption – reflecting the principles in the Google Spain right to be forgotten case – and clarification that public domain data should not be exempted completely.

GDPR:

The Privacy Shield does not meet the higher standards of the GDPR. There should be a revision clause providing for the Privacy Shield to be reviewed shortly after the GDPR comes into effect, to bring the Privacy Shield in line with revised GDPR standards.  

See also:

EU-US Privacy Shield: Third Global Webinar