By Helena Marttila-Bridge and Monika Kuschewsky
Today, the Article 29 Data Protection Working Party (“Working Party”), a group consisting of representatives from the European data protection authorities, the European Data Protection Supervisor, and the European Commission, published its opinion on the EU-U.S. Privacy Shield draft adequacy decision (“Opinion”) (see here). The Opinion is accompanied by a second document, Working Document 01/2016 on the justification of interferences with the fundamental rights to privacy and data protection through surveillance measures when transferring personal data (“European Essential Guarantees”) (see here). This document sets out EU standards for surveillance by public authorities in the EU and U.S., as formulated by the Working Party. The Working Party also issued a press release (see here). The chairwoman of the Working Party, CNIL President Falque-Pierrotin, presented the documents today in a press conference, a recording of which is available here.
According to the Working Party, the Privacy Shield contains significant improvements compared to the now-defunct EU-U.S. Safe Harbor framework; however, there remain certain concerns and a need for clarification.
The Opinion is divided into two main parts: one dealing with the “commercial part” of the Privacy Shield, the other with the “national security guarantees.”
- As general remarks, the Working Party states that the Privacy Shield arrangement is unnecessarily complex: it is made up of several documents and annexes that are complex, not clearly linked and at times inconsistent with each other, which contributes to “an overall lack of clarity.” Certain terms are used inconsistently or are not defined clearly enough or at all. The Working Party also regrets that the draft adequacy decision does not include a comprehensive assessment of the domestic law and the international commitments of the U.S. in the form of an adequacy report and calls for clarification of the exact arrangements for the annual joint review of the Privacy Shield framework. Finally, the Working Party recommends that the Privacy Shield contain an explicit reference to a review of the framework shortly after the General Data Protection Regulation (“GDPR”) enters into force in 2018 to ensure that it reflects the higher level of protection afforded under the GDPR.
- With respect to the commercial part, while the Working Party recognizes that there are major improvements in the Privacy Shield compared to the EU-U.S. Safe Harbor framework in many aspects, a number of concerns remain. In particular, the Working Party considers that some of the key EU data protection principles are not sufficiently reflected in the Privacy Shield or have been “inadequately substituted by alternative notions,” such as the purpose limitation and data retention principles. The Working Party also considers that the onward transfer principle is not robust enough where data is flowing to a third country and has specific concerns regarding the application of certain Privacy Shield principles to the processing of HR and pharmaceutical data. Further, the Working Party criticizes the Privacy Shield’s application to U.S. organisations acting as processors (agents) as being unclear. Finally, the recourse mechanisms available to EU data subjects are deemed too complex; in the Working Party’s opinion the national data protection authorities should be data subjects’ natural first point of contact.
- With respect to the national security guarantees, the Working Party has assessed the Privacy Shield against the fundamental rights enshrined in the European Convention on Human Rights, the EU Charter and established case law of the European Courts, including the Schrems ruling, which it distilled in the European Essential Guarantees document. The Working Party acknowledges the increased transparency on data collection and access for national security and law enforcement purposes provided by the Privacy Shield documents, but still requires further clarification. The Working Party highlighted two main concerns:
- the Privacy Shield permits the bulk collection of data for a number of broadly defined purposes which raises concerns regarding the proportionality of the data collection and in the Working Party’s view indiscriminate and massive data collection is not fully excluded; and
- there are insufficient guarantees to ensure that the ombudsperson — a new oversight mechanism the U.S. government has committed to create to deal with complaints about U.S. law enforcement access to data — is sufficiently independent and is vested with adequate powers to exercise effective and continuous control over U.S. intelligence agencies’ surveillance activities.
The Working Party concludes that it has not been provided with sufficient information to carry out a full assessment regarding the accessibility, foreseeability, necessity, and proportionality of the U.S. rules governing law enforcement access to data and whether effective remedies are actually available to data subjects in the area of law enforcement. The Working Party suggests that such an assessment could form part of an annual review of the Privacy Shield instead.
As reported here, the European Commission published the text of the Privacy Shield on February 29, 2016, including the draft adequacy decision on the Privacy Shield that will need to be adopted by the EU College of Commissioners via the “comitology procedure.”
This procedure requires a binding opinion by the Article 31 Committee, a committee composed of Member State representatives and chaired by the Commission. The Committee must support the draft decision on the Privacy Shield by a qualified majority for the Commission to be able to adopt the decision without having to refer the draft decision to an appeal committee. The Article 31 Committee will likely carefully consider the Working Party’s Opinion before delivering its views on the draft decision, but is not formally bound by the Working Party’s Opinion, which is not legally binding.
During the Working Party’s press conference, Ms. Falque-Pierrotin stressed that there is still work to do and urged the European Commission to resolve the concerns, to identify appropriate solutions and provide the requested clarifications in order to improve the draft adequacy decision and to ensure that the protection offered by the Privacy Shield is essentially equivalent to that of the EU. The Working Party also called upon the EU and U.S. to continue their negotiations. The chairwoman suggested during the press conference that the Working Party is unlikely to adopt another opinion on a revised Privacy Shield, but did not want to exclude the possibility of taking further action once the Commission has issued its final decision on the Privacy Shield.
European Commissioner for Justice, Consumers and Gender Equality, Věra Jourová, reacted to the Working Party’s press conference by stating that the Commission will work to include the recommendations raised by the Working Party and plans to do so before the Article 31 Committee meetings that are scheduled to take place on April 29 and May 19. The Committee’s vote is expected to take place during the latter meeting. According to Commissioner Jourová, the Commission is still aiming to adopt the Privacy Shield adequacy decision by June.
European Essential Guarantees
In order to assess the consequences of the Schrems ruling to all data transfers to the U.S., the Working Party inventoried and analyzed jurisprudence of the European Courts related to certain fundamental rights, including the rights to private and family life and to data protection. The European Essential Guarantees document is stated to provide guidance when assessing if the interference with a fundamental right can be justified and to apply to all data processing operations, including transfers on the basis of Articles 25 and 26 of the EU Data Protection Directive. The Working Party identified the following four European essential guarantees, which it then further elaborates:
- Processing should be based on clear, precise and accessible rules.
- Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated.
- An independent oversight mechanism should exist.
- Effective remedies need to be available to the individual.
Model Clauses and BCRs
Importantly, in response to questions from the floor, the Working Party chairwoman confirmed that data exporters will be able to continue to use other data transfer mechanisms (i.e., model clauses and Binding Corporate Rules), at least for now. She indicated that the Working Party may review the validity of the other transfer mechanisms once the Privacy Shield adequacy decision has been formally adopted.