Article 29 Working Party Expresses "Strong Concerns" about the EU-US Privacy Shield Agreement
On April 13, the Article 29 Working Party announced that it had completed its review of the EU-U.S. Privacy Shield documentation. In a 58-page opinion, the WP29 made numerous critiques to the proposed EU-US Privacy Shield framework. During a press conference, Working Party Chairwoman Isabelle Falque-Pierrotin commented that the Privacy Shield is a “great step forward” that includes a number of “major improvements” as compared to the now invalid Safe Harbor. However, the Chairwoman also expressed "strong concerns" with a number of areas where clarification is required.
Specifically, the Working Party believes that the Privacy Shield framework does not adequately address a number of data protection principles established under EU law. The Working Party has stated that the commercial part of the Privacy Shield framework requires clarification on the following points:
Data Retention and Purpose Limitation
The Working Party believes the framework does not incorporate some of the key EU data protection principles or have been "inadequately substituted by alternative notions" such as with the purpose limitation and data retention principles. For example, concerning data retention, there is no express data retention principle in the Privacy Shield framework. The Working Party noted that "the lack of provisions imposing a limit on the retention of data under the Privacy Shield gives organizations the possibility to keep data as long as they wish, even after leaving the Privacy Shield, which is not in line with the essential data retention limitation principle." The Working Party also noted that there is no wording on the protection that should be afforded against automated individual decisions based solely on automated processing: "The Privacy Shield does not provide any legal guarantees where individuals are subject to a decision which produces legal effects concerning or significantly affecting them and which is based solely on automated processing of data."
Concerning the Purpose Limitation, the Working Party noted that the scope of the purpose limitation concept is different under the (1) Notice, (2) Choice, and (3) Data Integrity and Purpose Limitation principles of the Privacy Shield. The Working Party recommends harmonizing the purpose limitation principle to prohibit any processing that is incompatible with the original collection purpose.
Onward Data Transfer
The Working Party believes that the onward transfer principle is not robust enough where data is flowing to a third country and has specific concerns regarding the application of certain Privacy Shield principles to the processing of HR and pharmaceutical data. The Working Party emphasized “that onward transfers from a Privacy Shield entity to third country recipients should provide the same level of protection on all aspects of the Shield (including national security) and should not lead to lower or circumvent EU data protection principles. In case of an onward data transfer to a third country, every Privacy Shield organization should have the obligation to assess any mandatory requirements of the third country’s national legislation applicable to the data importer, prior to the data transfer. If a risk of substantial adverse effect on the guarantees, obligations and level of protection provided by the Privacy Shield is identified, the U.S. Privacy Shield organization acting as a Processor (Agent) shall promptly notify the EU data controller before carrying out any onward transfer.” Under such circumstances, the Working Party noted, the Shield organization should be “entitled to suspend the transfer of data and/or terminate the contract.” If the Shield organization is acting as a data controller, it “should not be allowed to onward transfer the data, as this would compromise its duty to provide the same level of protection” as under the Privacy Shield. The Working Party “recalls its position that if the EU data controller is aware of an onward transfer to a third party outside the U.S. even before the transfer to the U.S. takes place, or if the EU data controller is jointly responsible for the decision to allow onward transfers, the transfer should be considered as a direct transfer from the EU to the third country outside the U.S.,” in which case the EU Data Protection Directive (Articles 25 and 26) applies instead of the Privacy Shield onward transfer principle. The Working Party “concludes that onward transfers of EU personal data are insufficiently framed, especially regarding their scope, the limitation of their purpose and the guarantees applying to transfers to data processors (Agents).”
The opinion also claims that it may be too burdensome for EU citizens to resort to recourse mechanisms in the US if they feel their personal data has been misused. The Working Party recommended that the Privacy Shield allow for EU Data Protection Authorities to represent EU individuals and act on their behalf or to act as an intermediary. Alternatively, the Working Party noted, the Privacy Shield "should contain specific jurisdiction clauses entitling data subjects to exercise their rights in Europe."
The Working Party noted that the Privacy Shield does not exclude massive and indiscriminate collection of personal data originating from the EU by US intelligence agencies and, while the Working Party welcomed the Ombudsperson as a new mechanism of redress, it stated that the position is not sufficiently independent or powerful: “this new institution is not sufficiently independent and is not vested with adequate powers to effectively exercise its duty and does not guarantee a satisfactory remedy in case of disagreement.”
Conclusion and Recommendation
The Working Party's opinion underscores the likelihood that the Privacy Shield will face significant legal obstacles for months to come and may not be a reliable means of legally exporting data out of the EU for some time. If your company receives personal data from EU citizens, your company should consider adopting standard contractual clauses or binding corporate rules to legitimize those transfers.