Several hours after holding a closely-watched press conference we reported on yesterday, the Article 29 Working Party (“Art. 29 WP”) released its highly anticipated formal opinion on the adequacy of Privacy Shield.
The European Commission has put forth a draft “adequacy decision” in which it declares that on the basis of Privacy Shield, the United States offers data protection that is essentially equivalent to that offered in the EU. If adopted, this adequacy decision would permit data transfers to US companies that agree to abide by the Privacy Shield principles. The formal opinion issued by the Art. 29 WP is an important part of the approval process.
In its formal opinion, the Art. 29 WP clearly indicates that it does not see the current draft of Privacy Shield as providing adequate protection for EU data transferred to the US. Nonetheless – and consistent with its position at yesterday’s press conference – the Art. 29 WP nowhere states that changes must be made to Privacy Shield before the Commission adopts its draft adequacy decision. Instead, the opinion lists Art. 29 WP’s “concerns,” and states that it awaits “clarifications” from the Commission on the issues it has raised.
Because the opinion is an extensive document covering nearly 60 pages and addressing myriad topics, it cannot be fully summarized here. However, the Art. 29 WP’s primary points of contention with Privacy Shield are as follows:
On the commercial side:
- Onward transfers: The Art. 29 WP notes that the Onward Transfer rules have been significantly improved, but notes that several important deficiencies remain. First, if a Privacy Shield organization wants to onward-transfer EU data to a third country, Art. 29 WP notes that Privacy Shield does not require the organization to evaluate whether that third country provides adequate protection. Second, Art. 29 WP states that onward-transfer provisions lack a purpose limitation rule. Lastly, Art. 29 WP would like to see tighter rules for US organizations acting as processors who onward-transfer EU data to subprocessors.
- Data Retention: Art. 29 WP expresses strong concern that Privacy Shield seems to lack a data retention principle, i.e. a rule stating that “personal data must only be kept as long as necessary to achieve the purpose for which the data have been collected.” In the Art. 29 WP’s opinion, this is a “fundamental principle,” and its absence conceivably means that US organizations can “keep data as long as they wish, even after leaving the Privacy Shield.”
- Purpose limitation: Art. 29 WP is concerned that the scope of Privacy Shield’s purpose limitation principle varies under Privacy Shield’s Notice, Choice, and Data Integrity principles. It recommends harmonizing the purpose limitation principle to generally prohibit any processing incompatible with original collection purposes.
- Automated Decisionmaking: The Art. 29 WP notes that Privacy Shield “does not provide any legal guarantees” in situations where “individuals are subject to a decision which produces legal effects  or significantly affecting them,” and the decision “is based solely on automated processing of data” about them (such as work performance or creditworthiness). This is not necessarily a fundamental data protection principle, but it will become EU law under the current Art. 22 of the GDPR, and the Art. 29 WP has increasingly emphasized it in recent opinions.
- Recourse: In the Art. 29 WP’s opinion, Privacy Shield contains too many redress mechanisms: “considering the complexity and the lack of clarity of the overall architecture of the mechanism, the WP29 fears that, in practice, the effective exercise of the data subject’s right might be undermined.” 29 WP recommends empowering European Data Protection Authorities (DPAs) to “represent the data subject and act on his behalf or to act as an intermediary” – or to require US organization to consent to the jurisdiction of European courts.
On the surveillance side, the Art. 29 WP sets up its opinion so that it judges the permissibility or impermissibility of the surveillance measures allowed under Privacy Shield under standards distilled from EU judicial precedent. It therefore appears to be the Art 29 WP’s position that a non-EU country does not provide “adequate protection” unless its domestic surveillance and law-enforcement laws comply with the requirements of EU fundamental-rights jurisprudence. Using this analysis, the Art. 29 WP expresses the following concerns about US surveillance:
- Bulk collection: Art. 29 WP states that “there are indications that the U.S. continue to collect massive and indiscriminate data, or at least do not exclude that they may still do so in the future.” In contrast, Art. 29 WP’s view is that only targeted collection and targeted use is permissible under guiding EU law. As a result, “a clarification of the draft adequacy decision is needed” to address which enumerated categories of data (among them national-security and law-enforcement data) US law permits to be collected in “in bulk.”
Importantly, however, Art. 29 WP states that its view on bulk collection could change significantly depending on the outcome of two forthcoming decisions of the European Court of Justice (ECJ). One case will address bulk sharing of Passenger Name Records between the EU and Canada, while another will address a law passed by Sweden that requires bulk storage of communications metadata.
- Ombudsperson mechanism: The Art. 29 WP begins by praising the US’s willingness to create a novel Ombudsperson mechanism, and notes that EU law does not require judicial oversight of national-security surveillance. Nonetheless, Art. 29 WP expresses strong concern that the Privacy Shield Ombudsperson (a) may not be sufficiently independent because she is a political appointee; (b) may lack sufficient investigatory powers, especially over intelligence agencies; and (c) may not be able to remedy non-compliance with privacy principles. The Art. 29 WP recommends clarifying the “powers and position” of the Ombudsperson.
Lastly, Art. 29 WP appears to anticipate that the Commission may adopt its adequacy decision on the basis of Privacy Shield despite its Opinion. Perhaps with this in mind, Art. 29 WP recommends requiring a mandatory review of Privacy Shield (as well as of “the adequacy decisions issued for other third countries”) when the GDPR enters into force in 2018.
The Art. 29 WP’s opinion is non-binding on the Commission. Thus, the Commission does not need to adopt the Art. 29 WP’s recommendations and can move ahead with adopting an adequacy decision. Before doing so, the Commission will wait until the European Data Protection Supervisor and the Art. 31 Committee of Member-State representatives have first issued their own adequacy opinions regarding Privacy Shield. The Commission’s decision is anticipated in June or – if not issued before the summer break – in September.
Despite its non-binding nature, the Art. 29 WP’s opinion could pose stumbling blocks for Privacy Shield down the road. Art. 29 WP has offered several potential arguments for challenging Privacy Shield in court. Documents recently leaked by German DPAs indicate that some DPAs are considering a court challenge, and Art. 29 WP’s opinion – without taking a position on the issue – references ECJ jurisprudence holding that any person has standing to file a suit to remedy violations of their fundamental rights. Although the outcome of an ECJ challenge is uncertain, prior ECJ decisions have generally consistently taken a strict approach regarding the protection of fundamental data-protection rights.
The Operational Perspective
Importantly for business, the Art. 29 WP does not address the validity of alternative data-transfer instruments such as Binding Corporate Rules or Model Clauses. Instead, the Art. 29 WP expressly stated during a press conference yesterday that these “other transfer tools” remain valid at least until the Commission issues its final adequacy decision. Thus, for the interim, businesses can rely on alternative transfer tools as valid bases for their international data transfers.
If the Commission does in fact adopt an adequacy decision, the situation could become more complex. The likelihood that Privacy Shield is challenged in court is significant. Moreover, Art. 29 WP indicated in press statements that it may revisit the validity of Binding Corporate Rules and Model Clauses after the Commission has issued its adequacy decision. The result of this review may depend on forthcoming ECJ decisions regarding bulk surveillance, and on DPAs’ evolving positions regarding the propriety of extensive data collection for counterterrorism purposes.
A copy of the Art. 29 WP’s opinion on Privacy Shield can be downloaded here.
Alston & Bird is closely following the development of Privacy Shield, its review by leading EU privacy bodies, as well as the process of its adoption by the Commission.
Additionally, on April 28, Alston & Bird will host the first installment of its multi-part Roadmap to the GDPR series – which will focus on international data transfers from the EU. For more information, contact Jim Harvey or Jan Dhont.