The Article 29 Working Party (“WP29”), a group consisting of representatives from each European data protection authority, the European Data Protection Supervisor, and the European Commission, yesterday issued a press release detailing its recommendations for the first Annual Joint Review of the EU-U.S. Privacy Shield (“Privacy Shield”), which will take place in September 2017.  Specifically, the June 13 press release announced that WP29 had adopted a letter to send to the European Commission with its views and questions regarding U.S. fact-finding on commercial matters, law enforcement, and national security.  According to the WP29, answers to these questions will be crucial to “ensur[ing] that the US authorities are able to constructively answer concerns on the concrete enforcement of the Privacy Shield decision.”

The WP29 emphasized in its press release the need to assess the “robustness and effectiveness of the Privacy Shield mechanism,” which the EU and U.S. jointly adopted in July 2016 to provide a framework for cross-border data transfers.  The WP29’s current concerns echo points that the group has previously raised and also reflect developments in the current U.S. administration.

  • Regarding the commercial part of the U.S. fact-finding for the annual review, the WP29 expressed concerns over the legal guarantees that exist around automated decision making, the existence of guidance on the application of the Privacy Shield from the U.S. Department of Commerce, and clarifications on definitions, specifically including “human resources data.” The WP29’s list is non-exhaustive.
  • With respect to the law enforcement and national security part, the WP29 stressed its need to obtain information related to “the latest developments of US law and jurisprudence in the field of privacy.” In particular, the group stated it seeks “precise evidence to show that bulk collection, when it exists, is ‘as tailored as feasible.’” The WP29 also raised questions about Privacy Shield oversight, including the nomination of four members of the Privacy and Civil Liberties Oversight Board (“PCLOB”), as well as questions regarding the appointment of the Ombudsperson and the mechanisms governing that position.

The WP29 further used the press release to announce that it has been “intensely preparing” for the annual review, and it shared recommendations regarding participants, the length of the review, and the WP29’s ability to publish its own report.

The WP29’s letter comes in the wake of larger questions about the implementation of the Privacy Shield on both sides of the Atlantic. With more 2,000 organizations listed as self-certified under the framework, the first annual review will provide an important opportunity to shape the future of cross-border data transfers across many industries.  We will continue to monitor developments relating to the Privacy Shield and the first annual review.