WP29 issues opinion on Privacy Shield: not an endorsement. Here are the reasons

 

Isabelle Falque-Pierrotin, Chairman of WP29
Isabelle Falque-Pierrotin, Chairman of WP29

In its meeting of April 13, 2016 the WP29 issued a 57 pages opinion on the draft adequacy decision that the EU Commission made available on February 29, 2016. Together with the draft adequacy decision, the Commission disclosed a package of documents (including correspondence with its American counterparts). In order to give an opinion on the draft adequacy decision, the WP29 reviewed the entire package.

The opinion of the WP29 (which is not binding but it is relevant because the WP29 consists of representatives from the European DPAs) is not positive on the Privacy Shield (“PS”)

While there is a statement of appreciation for the “the significant improvements brought by the Privacy Shield compared to the Safe Harbour decision”, the WP29 expressed substantial concerns over the PS. Opinion 01/2016 on the EU – U.S. Privacy Shield draft adequacy decision.

First, the WP29 criticizes being “the principles and guarantees afforded by the Privacy Shield” spread out in several documents (i.e, the adequacy decision and its annexes), which “makes the information both difficult to find, and at times, inconsistent”. This situation contributes to “an overall lack of clarity” of the new framework and makes “accessibility for data subjects, organisations, and data protection authorities more difficult.”

Second, the language of the PS is not clear and needs clarification, on “both sides of the Atlantic.”

Third, the PS needs to be more consistent with Directive 95/46/EC (particularly “in scope and terminology”) and, in the future, will need to be reviewed after the entry into force of the GDPR.

Fourth, while the PS needs not to be “a mere and exhaustive copy of the EU legal framework”, it must “contain the contain the substance of the fundamental” and offers “‘essentially equivalent’ level of protection.” This is not the case. The WP29 highlights how “some key data protection principles” are missing “or have been inadequately substituted by alternative notions.” For example, the WP29 finds that the principle of data retention is not mentioned (nor can be implied) and “there is no wording on the protection that should be afforded against automated individual decisions based solely on automated processing.” Also, “the purpose limitation principle” is “unclear.” Clear definitions should be negotiated between the EU and the US and be included in the Privacy Shield F.A.Q.

Fifth, the PS does not adequately frame ( “in scope, limitation of purpose and guarantees) the onward transfer of data (i.e. the “onward transfers from a Privacy Shield entity to third country recipients”). The PS should provide that in case of onward transfer “every Privacy Shield organisation should have the obligation to assess any mandatory requirements of the third country’s national legislation applicable to the data importer, prior to the transfer”.

Sixth, while the PS contains “additional recourses” for individuals to exercise their rights”, the new redress mechanism might be “too complex, difficult to use for EU individuals and therefore ineffective.” The WP29 asks for “clarification of the various recourse procedures” and ED DPAS should be allowed to act on individuals’ behalf.

Seventh, the draft adequacy decision “extensively addresses the possible access to data … for purposes of national security and law enforcement”, however, mass surveillance remains a concern. In fact, “the representations of the U.S. Office of the Director of National Intelligence (ODNI) do not exclude massive and indiscriminate collection of personal data originating from the EU”, which is exactly what is not compliant with the fundamental rights because “massive and indiscriminate surveillance of individuals can never be considered as proportionate and strictly necessary in a democratic society”. The institution of an ombudsman as a redress mechanism is useful but it is unsure how independent this institution will be.

Eight, “the exact arrangements” for the WP29’s participation to the “annual joint review mechanism mentioned in the draft adequacy decision” must be clarified.

In conclusion,

 The WP29 notes the major improvements the Privacy Shield offers compared to the invalidated Safe Harbour decision. Given the concerns expressed and the clarifications asked, the WP29 urges the Commission to resolve these concerns, identify appropriate solutions and provide the requested clarifications in order to improve the draft adequacy decision and ensure the protection offered by the Privacy Shield is indeed essentially equivalent to that of the EU.

Read full opinion here.

For more information, Francesca Giannoni-Crystal.