EU watchdogs welcome improvements of recently approved Privacy Shield

View Natasha Simmons’s LinkedIn profile View Natasha Simmons’s profile

Last Tuesday (26 July 2016) the WP29 (a group comprised of national representatives from each data protection authority in each EU Member State) issued a statement following its review of the final version of the Privacy Shield regime. The WP29 met to assess whether the Privacy Shield addresses all of their concerns and to determine operational next steps. The outcome of this meeting is that the European data protection authorities have acknowledged the strengths of the new EU-US data-sharing agreement compared to the former Safe Harbor decision, whilst also recognising that there are still some shortfalls. The Chairwoman of WP29, Isabelle Falque-Pierrotin, also announced that Member State data protection regulators will not challenge the adequacy of the Privacy Shield for at least one year. A mandatory review of the adequacy of the Privacy Shield by the European Commission is also scheduled to take place by May 2017.

The story so far

As we previously reported in February of this year in our blog, the European Commission announced the prospect of a new EU-US Privacy Shield as an alternative mechanism for transatlantic data transfers from the EU to the US. This was in response to the landmark case of Maximillian Schrems v Data Protection Commissioner (Schrems) (Case C-362/14) which invalidated Safe Harbor (the predecessor to Privacy Shield).

Fast-forward a few months and much progress has been made. The EU-US Privacy Shield has now been officially approved; the adequacy decision of the European Commission was issued on 12 July. The finalised adequacy decision outlines the Commission’s view that businesses transferring personal data from the EU to the US in line with the Privacy Shield principles will accord with EU data protection law standards.

The European data protection authorities have also now completed their review of the Privacy Shield and released their statement last week in which they generally indicated their approval of the new EU-US data-sharing agreement. This follows  their review of the initial version of the Privacy Shield in April where they raised concerns that, although Privacy Shield offered progress and improvements over the previous Safe Harbor model, ultimately, further work was required in order to provide an adequate level of protection. The concerns of the WP29 were also reinforced by the views of the European Parliament and the European Data Protection Supervisor.

Following this, the European Commission revised the terms of the EU-US Privacy Shield and renegotiated a number of key features with the US. The revised version of the EU-US Privacy Shield sets out stronger data retention rules, and adopts a stricter position on onward transfers and access to personal data by US law enforcement agencies. The role of the US Ombudsman was also renegotiated to ensure true independence from US intelligence agencies.

The Article 31 Committee (composed of representatives of the Member States’ governments) voted in favour of the Privacy Shield on 8 July 2016, clearing the way for the European Commission to adopt its adequacy decision.

Privacy Shield Version 2

So what does version 2 of the Privacy Shield look like? The amended EU-US Privacy Shield is based on the following principles:

  • Strong obligations on companies handling data; the US Department of Commerce will conduct regular updates and reviews of participating companies, to ensure that companies follow the rules they have signed up to. There has also been a tightening of conditions for the onward transfers of data to third parties designed to guarantee the same level of protection in case of a transfer from a Privacy Shield company.
  • Clear safeguards and transparency obligations on U.S. government access; the US has given the EU assurance that the access of public authorities for law enforcement and national security is subject to clear limitations, safeguards and oversight mechanisms. All data subjects in the EU will, also for the first time, benefit from redress mechanisms in this area. The US has ruled out indiscriminate mass surveillance on personal data transferred to the US under the EU-US Privacy Shield arrangement. The US Secretary of State has established a redress possibility in the area of national intelligence for Europeans through an Ombudsperson mechanism within the Department of State.
  • Effective protection of individual rights; any citizen who considers that their data has been misused under the Privacy Shield scheme will have the benefit of several accessible and affordable dispute resolution mechanisms. Preferably, the complaint will be resolved by the company itself or free Alternative Dispute resolution (ADR) solutions will be offered. Individuals also have the option of going to their national data protection authorities, who will work with the Federal Trade Commission to ensure that complaints by EU citizens are investigated and resolved.
  • Annual joint review mechanism; there will be a mechanism monitoring the functioning of the Privacy Shield, including the commitments and assurance regarding access to data for law enforcement and national security purposes.

Does Privacy Shield Version 2 go far enough?

In its latest statement, the WP29 outlined residual concerns relating to commercial aspects of the Privacy Shield and access by public authorities. The Wp29 highlighted the lack of specific rules on automated decisions and of a general right to object. They also indicated that it is unclear exactly how the Privacy Shield Principles will apply to processors. The WP29 also stated that it would have expected stricter guarantees concerning the independence and the powers of the Ombudsperson mechanism.

What’s next on the Privacy Shield horizon?

The adequacy decision has been notified to European Member States and is in force. In terms of the US perspective, the framework is due to be published in the Federal Register and the US Department of Commerce will begin running the Privacy Shield. US businesses will be able to self-certify their compliance with Privacy Shield principles from 1 August 2016 and the Privacy Shield will operate a system of annual re-certification.

The advent of the Privacy Shield, it is hoped, should help to create greater certainty for businesses who have been left in the dark in the wake of Schrems, and also restore consumer trust when their data is transferred across the pond. This is not to say, however, that the Privacy Shield will satisfy all of the criticisms of privacy activists. There is already intense scrutiny of existing transfer mechanisms including model clause contracts, and privacy advocates may soon shift their focus to this data transfer regime mechanism. Max Schrems has already commented that he believes the Privacy Shield is vulnerable to legal challenge and is far from what the ECJ expected as an alternative to Safe Harbor. In light of this controversial transatlantic privacy backdrop, businesses should watch out for further developments in this area.

Taking a pragmatic approach, we consider that businesses may be reluctant to go down the Privacy Shield route at this stage, in light of the uncertainty it brings. In the interim, business are likely to continue relying on established transfer mechanisms that are also incorporated in the GDPR, specifically EU model clauses and Binding Corporate Rules. Ultimately, we would suggest that businesses undertake a thorough assessment of the data transfers they carry out so that they can determine the method of transfer that best fits their organisation. In many instances, and for the immediate time being, model clauses will remain the preferred transfer method for organisations.

Natasha Simmons  |  Senior Associate | PwC Legal
[email protected]  | +44 (0)7525 897862


More articles by Natasha Simmons