On May 30, the European Data Protection Supervisor (the “EDPS”) issued an opinion on the Privacy Shield, see opinion here and press release here.  The EDPS acknowledged that the European Commission’s draft adequacy decision on the Privacy Shield is a step in the right direction and shows a number of improvements compared to the EU-U.S. Safe Harbor decision.  He took positive note, in particular, of the increased transparency demonstrated by the U.S. authorities and the recent trend to move to more targeted and selected surveillance.  Complementing and underlining some of the recommendations of the Article 29 Data Protection Working Party (see our previous blog post here), however, the EDPS took the view that significant improvements are required in order to achieve a solid and stable long-term framework for EU-U.S. data transfers.  The EDPS also emphasized the need to make the solution future-proof and to provide legal certainty for controllers which “should not be expected constantly to change compliance models.”

The EDPS’s main recommendations are:

  1. Integrating all main Data Protection Principles: The EDPS felt that the draft Privacy Shield omits substantive details relating in particular to the principles of data retention and automated processing.  Among other things, the EDPS suggested further clarification regarding the purpose limitation principle and the exceptions to the Privacy Shield requirements.
  2. Limiting Derogations: The EDPS welcomed efforts towards increased transparency on the part of the U.S. authorities and their involvement in the negotiations. He also considered the guidance in U.S. Presidential Policy Directive 28 against mass collection as a positive development.  But the EDPS recommended that the purposes for which exceptions to the Privacy Shield principles are allowed and the requirement of a legal basis be more precise.  He also encouraged further policy and legislative amendments.
  3. Improving Redress and Oversight Mechanisms

The EDPS emphasized that the role of the Ombudsperson should be independent of any other authority; which could be achieved, for example, through the possibility of reporting directly to Congress.  He also recommended that the European Commission seek more specific commitments that the requests for information and cooperation from the Ombudsperson, as well as her decisions and recommendations, will be effectively respected and implemented by all competent U.S. agencies and bodies.

The EDPS encouraged the European Commission to explore the feasibility of involving EU representatives (such as a panel of trusted representatives of EU parliamentary committees, EU or national high courts or data protection authorities) in certain aspects of the assessment or of requiring authorization by a judicial authority of certain requests to access data or oversight by an EU judge or EU data protection authorities as is already the case in other arrangements.

Additional recommendations:  Furthermore, the Opinion contains a number of additional recommendations.  These range from recommending the full integration of the data minimisation and data retention principles, adding safeguards for automated processing, clarifying the purpose limitation principle and limiting exceptions to improve redress and oversight.

On a more general note, the EDPS also called for a more comprehensive assessment of U.S. federal and state laws allowing access to personal data transferred to the US for public interest purposes beyond the area of national security and law enforcement.  The European Commission should also look at other laws and regulations with an impact on the protection of personal data, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or the Children’s Online Privacy Protection Act of 1998 (COPPA).

As regards the joint review of the application of the Privacy Shield, the EDPS called for on-the-spot verifications in addition to meetings.  The review should cover both the commercial part and the access to personal data by U.S. authorities.

GDPR:  In the EDPS’s view, the adequacy decision on the Privacy Shield, which is based on the existing EU legal framework, should also take into account the changes that the General Data Protection Regulation (“GDPR”) will bring about.  Among other things, the GDPR contains new elements, such as privacy by design, privacy by default or data portability, which are not addressed in the draft adequacy decision on the Privacy Shield.

In conclusion, the EDPS promoted the development of a sufficiently robust, longer term solution which respects the essence of key data protection principles and provides much needed clarity and legal certainty.

The Article 31 committee, which is made up of representatives of each EU Member State, is continuing to deliberate on the Privacy Shield and will meet several times in June.  This committee must provide a binding opinion supporting the draft adequacy decision, by qualified majority, for the Privacy Shield to go ahead.