On 13 April, the ‘Article 29 Working Party’, the body of European Data Protection Authorities (DPAs) published their eagerly awaited opinion on the EU-US Privacy Shield. In many ways, the delicate balance the DPAs strike in their analysis is consistent with expectations. Overall, the WP29 Opinion is neither a straightforward endorsement, nor a blanket rejection of the Privacy Shield.
On the one hand, they welcome notable improvements in the agreement, as compared to the defunct Safe Harbor scheme. On the other hand, they raise several points of criticism and call for further amendments to be made to the framework. Their analysis echoes to some extent the comments CDT and other groups have made over the past few months.
The section of the WP29 Opinion that focuses on intelligence and law enforcement collection of data is based on the four criteria set out in the WP29 press statement issued on 3 February The opinion states: First, processing should be based on clear, precise and accessible rules; second, it should be necessary and proportionate in regard to the intended objectives, and the objectives should be balanced against the rights of the individual; third, it should be subject to independent, effective, and impartial oversight; and fourth, there must be effective remedies available to the individual.
In general, the WP29 Opinion appreciates that government access is included in the draft adequacy decision – a major improvement over the Safe Harbor. It notes the improved transparency and availability of information about US intelligence activities as a result of PCLOB reports and FISA Court disclosures, and it acknowledges the practical effects of the purpose limitations set out in US Presidential Policy Directive 28 (PPD-28). It welcomes the establishment of an Ombudsperson function to provide a measure of redress for European ‘individuals’ (whether that is taken to mean EU citizens or residents), but also questions whether that institution is sufficiently independent and empowered to make this redress effective and adequate to meet the Schrems standards. In addition, the Opinion notes that, not withstanding PPD-28 and the commitments given by senior US Government officials, broad bulk data collection remains permissible under FISA Section 702.
A long-term solution requires reform of surveillance laws, both in the US and in several European Member States
In regards to the commercial aspects of the Privacy Shield, the Opinion notes that the data retention principle has not been explicitly included, and that protections regarding automated processing and decisions are insufficient. It also recommends clarification of the wording on purpose limitation. The Opinion ‘insists’ that the Privacy Shield rules should expressly cover onward transfers of data to countries outside the US, including for national security and law enforcement access. Finally, while the DPAs acknowledge the new complaints and recourse mechanisms available to EU individuals, it notes that these mechanisms may be too complex and difficult for people to use.
The European Commission has not yet commented on the WP 29 Opinion, but we would expect the Commission to work with its US counterparts to address at least some of the concerns raised. An initial guess might be that the negotiations focus on the recommendations pertaining to commercial aspects. This is probably the area that is most susceptible to amendment and where the negotiators have competence. On the national security side, the DPAs did not follow the call by a number of US and European NGOs to make Privacy Shield approval contingent on US legislative reform, principally FISA Section 702. This was a pragmatic choice because as a practical matter, the US Congress could not act in time for the Privacy Shield to be put in place.
CDT’s position on the Privacy Shield remains that the surveillance concerns that prompted the CJEU’s Schrems decision should be addressed through reform of Section 702. We have also acknowledged that, in the meantime, a new EU-US data transfer framework is necessary so that transatlantic commerce and communications can continue. Whether the Privacy Shield will provide the necessary legal certainty and stability remains uncertain. The Privacy Shield will be vulnerable to legal challenge as will the other data transfer schemes, namely Standard Contractual Clauses and Model Contracts. Overall, as we have said before, a long-term solution requires reform of surveillance laws, both in the US and in several European Member States. That must remain the ultimate objective