Home / Publications / Privacy Shield: feedback from the WP29

Privacy Shield: feedback from the WP29

Before the European Commission can make any final decision, it needs to obtain the opinion of the WP29 group of representatives of the national data protection authorities. They gave some initial but mixed feedback on 13 April 2016.

The WP29 first of all pointed out the major improvements that Privacy Shield will introduce compared to Safe Harbour. It defines certain key concepts, and says that the mechanisms put in place to monitor compliance with the principles are protective, especially the internal and external oversight mechanisms.

The WP29 also examined whether the proposal complies with the four guarantees that it had previously identified as being essential for the legality and security of the scheme (Working Document 01/2016 on the justification of interferences with the fundamental rights to privacy and data protection through surveillance measures when transferring personal data):

  • processing should be based on clear, precise and accessible rules;
  • necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated;
  • an independent oversight mechanism should exist;
  • effective remedies need to be available to the individual.

Concerning the text itself (Guarantee A), the WP29 deplores an "overall lack of clarity" regarding the new framework (Press Release, 13 April 2016, reported on the CNIL website), especially its commercial aspects. In fact, the draft adequacy decision is made up of several letters, a draft decision and several annexes which are not all entirely coherent.

The WP29 also criticises a lack of consistency between the existing European framework (Directive 95/46 of 24 October 1995) and the principles and framework offered by the Privacy Shield. A review ought to be undertaken after the entry into application of the General Data Protection Regulation. The WP29 therefore suggests inserting a review clause that will allow the scheme operating between the European Union and the U.S. to be brought into line with the one soon to be introduced in Europe.

As regards the necessity of the transfers (Guarantee B), the WP29 states that although the draft decision sets out a principle of "purpose limitation", this is not defined, nor does it contain any rule for how long data may be stored.

Then, the possibility for U.S. intelligence agencies to collect data in bulk in the event of a terrorist threat is too wide to afford adequate data protection. According to the WP29, the mass and indiscriminate collection of personal data cannot be regarded as proportionate and must not be allowed. In support of this argument, the WP29 refers to several cases before the CJEU which are due for a ruling by the end of 2016, such as Tele2 Sverige AB (C-203/15) and Davis (C-698/15: heard as an expedited procedure following the order of 1 February 2016; will probably be joined with the former case).

Concerning the existence of an independent oversight mechanism (Guarantee C), the WP29 notes and praises the creation of the Ombudsperson the U.S. However, it would like better guarantees as to the independence and powers of this person.

Finally, concerning the remedies open to individuals (Guarantee D), the WP29 bemoans their complexity and, in particular, the fact that the only language of procedure will be English. In addition, there are several different remedies, depending on the situation. The group instead recommends that the national data protection authorities, where they are willing, have the option to act on behalf of individuals, or at least act as their natural "contact point", as will be the case for inter-EU data transfers following the introduction of the General Data Protection Regulation.

The WP29 Opinion of 13 April 2016 concludes by urging the European Commission to "resolve these concerns, identify appropriate solutions and provide the requested clarifications in order to improve the draft adequacy decision and ensure the protection offered by the Privacy Shield is indeed essentially equivalent to that of the EU".

And now... the future of Privacy Shield is unclear, because although the Commission is under no obligation to act on the opinion of the data protection authorities, it would be dangerous to not take heed. In fact, there is a high risk of a challenge being brought before the CJEU. It remains to be seen whether all or some of these questions can be clarified during the negotiations that are still underway with the U.S. Department of State.

Authors

Anne Laure Villedieu
Anne-Laure Villedieu
Partner
Paris