On 13 April, the Article 29 Data Protection Working Party (‘WP29’) published its opinion on whether the proposed Privacy Shield programme, which is intended to replace the now-invalid Safe Harbor pact for facilitating trans-Atlantic data flows, achieved an adequate level of protection. The WP29 acknowledged that many of the shortcomings of Safe Harbor have been addressed; however, they stated that “some key principles as outlined in European law are not reflected [in the Privacy Shield],” and went on to identify “strong concerns” and make a number of suggested improvements. The WP29’s opinion is not binding and it does not halt the process in the EU of formally approving the Privacy Shield, although, at the very least, the opinion will be grist to the mill for the Privacy Shield’s detractors.
Concerns identified: In its press release, WP29 calls on the European Commission to resolve its concerns to “ensure that the protection offered by the Privacy Shield is indeed essentially equivalent to that of the EU”. Specific concerns raised were: (1) lack of obligation on Privacy Shield organisations to delete data if no longer necessary (i.e., lack of detail on data retention); (2) the U.S. administration does not exclude the possibility of continued massive and indiscriminate collection of data; and (3) the Ombudsman role may lack sufficient powers to function effectively as an additional redress mechanism.
As well as these, the WP29 suggested that restraints on onward transfers by Privacy Shield organisations should be strengthened and clarified, particularly in relation to scope, purpose limitation and transfers to agents.
The approval process for the Privacy Shield in the EU: Before the Privacy Shield can become operational under EU law, a draft Adequacy Decision by the European Commission must be approved by the “comitology” procedure. The WP29’s non-binding opinion is the first step; this will now be followed by a binding opinion from the Article 31 Committee (comprising representatives of each member state) and then formal adoption by the EU College of Commissioners. The European Commission published its draft Adequacy Decision 29 February 2016. The approval process is expected to be completed by June 2016.
Revisiting adequacy – how soon? The WP29 reminds us that we are on the threshold of significant EU data protection reform – the General Data Protection Regulation (“GDPR”) – and suggests there should be a mechanism to revisit the EU Adequacy Decision when the GDPR comes into force in 2018. This seems to signal that further U.S.-EU negotiations may be needed to address revisions to the Privacy Shield in order to achieve adequacy under the more rigorous GDPR regime, which could then result in changes to the Privacy Shield only a couple of years after its adoption.