So, here we are in April and as previously noted here and here we now have the reaction of the Article 29 Working Party (“WP29”) to the European Commission’s draft adequacy decision on the EU-US Privacy Shield.
WP29 has assessed Privacy Shield in the light of the current EU Directive on Data Protection (95/46/EC) as well as Article 8 of European Convention on Human Rights and Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.
WP29’s objective is to ensure that an equivalent level of protection is maintained when personal data is processed under the auspices of Privacy Shield.
As was perhaps to be expected, WP29 has expressed “strong concerns” about access by US public authorities to data transferred under Privacy Shield as well as certain other commercial aspects.
It highlighted the omission of certain key data protection principles of the Directive or a lack of clarity of meaning in the seven privacy principles set out in Privacy Shield.
WP29 has highlighted concerns that Privacy Shield could be used to circumvent the Directive’s principles where further data transfers take place onwards from the USA.
However, the biggest issue they raise and they pull no punches: “… the Working Party regrets that the representations of the US Office of the Director of National Intelligence do not provide sufficient details in order to exclude massive and indiscriminate collection of personal data originating from the EU.”
This has to be placed in the context of WP29’s longstanding position that massive and indiscriminate surveillance of individuals can never be considered as proportionate and strictly necessary in a democratic society, referring to applicable fundamental rights.
WP29 hails the establishment of an ombudsman redress mechanism whilst expressing concern that it would not be sufficiently independent or have adequate powers to guarantee a satisfactory remedy.
So, a lukewarm reaction despite welcoming the “significant improvements” compared to Safe Harbor and very much a work-in-progress. What is certain is that much still has to be done. In the meantime, the EU model clauses and binding corporate rules for intra-group data transfers remain the appropriate techniques for data protection compliant transfers, but we will find out more in June when the EU Commission is expected to issue its “Adequacy Decision”; whether Privacy Shield will provide us with a longer term solution.
Of course, Mr Schrems and his friends will then look to challenge the new system.
For more information about Article 29 and the responses to it, or to find out more about how the commercial and technology team can help you please contact Bill Gornall-King on 0118 952 7247 or email [email protected].
Consistent with our policy when giving comment and advice on a non-specific basis, we cannot assume legal responsibility for the accuracy of any particular statement. In the case of specific problems we recommend that professional advice be sought.