On 26 July, the Article 29 Data Protection Working Party (WP29) released a statement outlining its opinion on the EU-U.S. Privacy Shield, which was adopted by the European Commission earlier this month. After praising the improvements implemented by the Commission and U.S. authorities since its last critical opinion, the WP29 outlined some remaining concerns, including the lack of:

  • specific rules on automated decisions and a general right to object;
  • clarity regarding how the Privacy Shield applies to processors;
  • strong guarantees regarding the independence and powers of the Ombudsperson mechanism; and
  • concrete assurances that the bulk, indiscriminate collection of EU citizens’ personal data will not take place.

The first annual review of the functioning of the Privacy Shield program in 2017, to be conducted by the U.S. Department of Commerce and the European Commission, is clearly seen as important by the WP29, which calls for a more defined role in that process and hints that an adverse review could impact negatively on other data transfer methods, including Binding Corporate Rules.

In the meantime, the EU data protection authorities (DPAs) within the WP29 “commit themselves to proactively and independently assist the data subjects with exercising their rights under the Privacy Shield mechanism, in particular when dealing with complaints”. The WP29 has announced it will be producing guidance for data controllers about their obligations under the Shield, and commenting on the citizens’ guide produced by the Department of Commerce.

1 August 2016 marks the start of a new chapter for transatlantic data transfers. U.S. companies will be able to self-certify that they abide by the privacy principles set out in the Privacy Shield, providing them with a legal basis to receive personal data from the EU. It is too early to offer predictions on the success of this replacement to Safe Harbor; however, in the short term, the EU DPAs look set to uphold individuals’ considerably enhanced rights under the program – and Privacy Shield joiners should prepare themselves accordingly.