Article 29 Working Party reviews EU-US Privacy Shield

The Privacy Shield, a framework which governs and legitimises transatlantic data flows between the EU and the US, has been accused of not providing sufficient protection to the rights and freedoms of EU citizens. The European Commission recently completed its first official review of the implementation and effectiveness of the Privacy Shield, and concluded that it provided an "adequate" level of protection for personal data.

Following its review of the Privacy Shield, the Article 29 Working Party has raised concerns which, if not addressed, it will follow with legal action. Made up of a representative of the Data Protection Authority of each EU member state, the watchdog has warned that if action has not been taken by the time of the Privacy Shield’s next official review, it will bring a legal challenge against the Privacy Shield’s adequacy decision.

The A29WP, however, has since published its own report that provides a lengthy list of areas where it feels the Privacy Shield needs to improve. The review was divided into two sections - commercial aspects of the Privacy Shield, and the derogations allowing Law Enforcement and National Security to access personal data.

1. Commercial aspects

The Article 29 Working Party identified a lack of clear information in respect of the principles of the Privacy Shield, handling of HR data and automated decision making/profiling.

The Working Party also recommended:

  • distinguishing the status of data processors from that of data controllers;
  • increasing oversight and supervision of compliance with the principles of the Privacy Shield by US authorities; and
  • enhancing the self-certification process to ensure uninterrupted protection for data subjects.

2. Law Enforcement and National Security

With regards to Law Enforcement and National Security, A29WP’s main concerns relate to the collection of data, to oversight, to judicial redress and finally to the supervision mechanisms.

In particular, A29WP called for a more detailed analysis of the:

  • policies and procedures that determine how data is collected for national security purposes (for example PRISM and UPSTREAM), since little evidence has been provided to demonstrate that such methods for collecting data are as tailored as possible;
  • comprehensive oversight of all surveillance programs, emphasising the pressing need to fill the job vacancies which will assist with such oversight;
  • availability of redress for EU individuals, commenting that EU cases in respect of surveillance matters are pending; and
  • effectiveness of the Supervisory’s powers and remedies (when appointed), given the lack of availability of judicial review of its decisions.

The A29WP has stated that it expects its serious concerns to be addressed by the implementation of the GDPR on the 25 May 2018, with any remaining concerns resolved by the second European Commission review at the latest.

If A29WP’s concerns are not resolved, it will seek a preliminary ruling from the CJEU regarding the Privacy Shield’s adequacy decision with the intention of the Privacy Shield being declared invalid.

It’s not the first time we’ve seen concerns raised about the Privacy Shield. Members of the European Parliament have raised concern over US bulk surveillance powers and transatlantic inconsistencies in interpretation of the framework and data protection law. Aside from this, the A29WP review is not directly enforceable. It’s likely that both the European commission and the Working Party will have their attention focussed on the rapidly approaching GDPR deadline, so it might be a while until the issues are dealt with.

We’ll keep you up to speed with any developments, but such procedures take a while to work through the administration. You can contact Piers Clayden for expert advice on matters impacting on your business.