Privacy Shield Major Advance but Troublesome, EU Data Protection Chiefs Say
Privacy Shield is a major improvement but raises concerns, said the EU Article 29 Data Protection Working Party (WP29) Wednesday. The draft EU-U.S. agreement, announced in February (see 1602290003), is the successor to the safe harbor arrangement for trans-Atlantic personal data flows. "Our first reaction to it was very positive," said Isabelle Falque-Pierrotin, chairwoman of French data protection authority CNIL (Commission nationale de l’informatique et des libertés). But she said data protection regulators have problems with some provisions. Falque-Pierrotin said companies can continue to use binding corporate rules and model contract clauses for shifting data to the U.S. until the European Commission makes a decision on Privacy Shield. Industry and consumer reaction ranged from wariness to criticism.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
WP29's "thorough analysis" included "a number of useful recommendations" the EC will work to "swiftly" include in its final decision, said Justice Commissioner Vera Jourová. The EC also intends to issue a practical "users' guide" for citizens on how to seek redress for complaints, she said. The next step will be for EU governments to approve Privacy Shield, with EC adoption expected in June, she added.
WP29 published two documents, available here. One is an opinion on Privacy Shield; the second contains the "essential guarantees" the group believes are needed for a European standard for surveillance by intelligence agencies. The group took into account legal elements including the EU data protection directive and European Convention on Human Rights and European Court of Justice ruling in the Schrems case (see 1509230001), said Falque-Pierrotin. The working party also reviewed all the documents detailing Privacy Shield, and found it "rather difficult" to understand them all because they're complicated and inconsistent among themselves, she said.
On Privacy Shield's commercial aspects, the WP29 said the new agreement improves on safe harbor in several areas. But Falque-Pierrotin said several points need clarification, including: (1) Privacy Shield doesn't outline the key EU data protection principles. (2) The agreement offers numerous avenues for recourse by private individuals for misuse of their personal data, which is better than safe harbor, but the overall system is too complex to help people find the right avenue for seeking redress. The opinion criticized Privacy Shield for not including the new legal framework of the general data protection regulation about to be finalized by the EU. The second document deemed that guarantees are needed from safe harbor for security agencies to show that: (1) Their processing of personal data is based on clear, precise and accessible rules. (2) Information collection is proportionate and necessary to the legitimate objectives pursued. (3) There's an independent oversight mechanism. (4) There are effective remedies for individuals.
WP29 concluded Privacy Shield allows the possibility of indiscriminate, bulk data collection, which isn't acceptable, said Falque-Pierrotin. She noted a growing tendency toward ever-more massive collection of personal data to fight terrorism, and said the working party is awaiting various ECJ judgments in cases of mass data. Another worry is the independence and powers of the ombudsperson proposed by the U.S. for dealing with Europeans' requests for redress, she said. While it's an innovative idea, there aren't enough guarantees about the status and powers of the position to ensure it's truly independent, she said.
Privacy Shield is "a great step forward" but there's more work, said Falque-Pierrotin, urging the EC to beef up the draft's mechanisms and ensure that the protections offered by Privacy Shield are essentially equivalent to those of the EU. The working party is confident the EC will take its concerns into account before making an adequacy decision on the draft agreement, she said, but if it doesn't, "nobody knows" what happens next. Taking the decision to the ECJ is "always an option," she noted.
Nothing has changed on enforcement by data protection authorities, said Falque-Pierrotin. Companies can continue to use binding corporate rules and model contract clauses, but not safe harbor, she said. But there's no legal certainty until the EC makes its final decision on Privacy Shield, she said. WP29 won't express an opinion on the validity of the alternative data transfer tools until the EC decision and the various pending ECJ rulings are in, she said.
Wary Reaction
Data protection authorities (DPAs) are "sitting on the fence," said Hogan Lovells (London) privacy attorney Eduardo Ustaran. DPAs are, "very cautious" about the issue of surveillance, something they have no control over, and concerned about weaknesses in Privacy Shield on that issue, won't give it a green light, he said in an interview. "Unfortunately," the regulators are "sitting on the fence," he said. The EC is pressing ahead with making an adequacy decision on the new arrangement, he said. But it's inconsistent for the working group to complain about data transfer in light of U.S. intelligence-gathering while saying that binding corporate rules and model contract clauses are OK, he said. There isn't much certainty for businesses yet, he added.
"Expect significant delays in getting Privacy Shield in place" because the WP29 "will insist on additional, probably onerous and burdensome changes," said privacy consultant Tim Sparapani. The general data protection regulation being finalized sets the stage for Privacy Shield even if it's delayed, he said. Both debates expose the "fundamental disagreements about where government authority resides in the EU," he said. In the U.S., these would be called federalism disputes between the states and federal government, and the "same problem is playing out across the EU in many other subjects and now it's time for privacy and security to be fought over in the same way," he said. "Do the European member states have the authority or does it reside in Brussels?"
The opinion leaves open the possibility a version of the proposal will be blessed by the EC in an adequacy decision, said Ann LaFrance, a Squire Patton data privacy lawyer. That national data protection authorities haven't rejected the agreement outright "will come as a great relief to many transatlantic companies," she said in a statement. The opinion will likely delay the process of finalizing Privacy Shield, but the EC appears ready to move forward, she said. Legal challenges "will probably follow," but LaFrance said she hopes businesses will be able to use Privacy Shield to transfer personal data to the U.S., pending the outcome of litigation.
The WP29 opinion is nonbinding and could be derailed by the Article 31 Committee, which plays a part in the making of EU law, said Linklaters (Brussels) privacy attorney Tanguy Van Overstraeten. If the panel, made of representatives from EU members, renders a negative opinion on Privacy Shield, the EC would have to communicate that to the Council, he said. While the EC could still adopt the arrangement, it would have to defer its application for three months from when it notified governments, he said: The Council, with a qualified majority, "could take a different decision within that three-month period."
EU governments should adopt Privacy Shield "without delay to provide legal clarity for thousands of European and U.S. companies and consumers," said the Computer & Communications Industry Association. On WP29's request for further clarifications, CCIA Europe Director Christian Borggreen said, "EU and US negotiators had the wisdom to include review clauses to continuously assess and improve Privacy Shield if deemed needed."
"The Privacy Shield has as many holes as a Swiss cheese," said European Consumer Organisation Director General Monique Goyens. EU consumers' privacy rights shouldn't expire once their personal data travels outside the EU, but the agreement does little to prevent that happening, she said. She urged the EC to heed the call from the WP29, which gave the agreement "in its current version their thumbs down."