On May 30, 2016, the European Data Protection Supervisor (EDPS) – whose mission is to advise the EU institutions on the data protection implications of their policies — published Opinion 4/2016 on the EU-U.S. Privacy Shield draft adequacy decision.
According to the press release
the Privacy Shield as it stands is not robust enough to withstand future legal scrutiny before the Court. Significant improvements are needed should the European Commission wish to adopt an adequacy decision, to respect the essence of key data protection principles with particular regard to necessity, proportionality and redress mechanisms.
And also: “For the Privacy Shield to be effective it must provide adequate protection against indiscriminate surveillance as well as obligations on oversight, transparency, redress and data protection rights.”
The EDPS issued several recommendations, among which:
- The Privacy Shield should implement all main data protection principles. To reach a long term solution, the U.S. need to guarantee ‘essentially equivalent’ standards to data transfer to those applicable under EU law, which – according to Article 29 Working Party – means containing ‘the substance of the fundamental principles’ of data protection. See here. “Taken as whole, the Privacy Shield and the U.S. legal order should cover all the key elements of the EU data protection framework”. However, the current draft omits substantive details of data retention and automated processing. The purpose limitation principle and the Privacy Shield requirements should be better clarified. Also, “[t]he provisions addressing onward transfers, the right to access and the right to object should be improved”;
- The Privacy Shield should limit derogations. The EDPS notes that while the U.S. has moved from a general indiscriminate surveillance “to more targeted and selected approaches”, “the scale of signals intelligence and the volume of data transferred from the EU subject to potential collection once transferred and notably when in transit, is likely to be still high and thus open to question”. Certainly the principles of the Privacy Shield can find an exception for “national security, law enforcement or any public interest requirement” but the purposes of these exceptions and their legal basis must be clarified:
- The Privacy Shield should improve redress and oversight mechanisms. The role of the Ombudsperson should be further developed, so that she is able to act independently. The EDPS recommends that the European Commission seek more specific commitments that the requests for information and cooperation from the Ombudsperson, as well as her decisions and recommendations, will be effectively respected and implemented by all competent agencies and bodies.
Finally, the EDPS points out that – once the new General Data Protection Regulation (GDPR) enters into full force in the Spring of 2018 – it will govern all data transfers matters for commercial purposes concerning EU citizens. Controllers will have to change compliance models.
The Press release is available at https://secure.edps.europa.eu…
For more information, Francesca Giannoni-Crystal