EU privacy regulators offer dubious endorsement of Privacy Shield
In its July 26 statement, the Working Party praised the “improvements” contained in the new data-sharing pact between the European bloc and the United States, but expressed several remaining concerns, particularly with regard to a lack of clarity on automated decisions and an individual’s right to object in the commercial sector and access by U.S. government authorities to EU citizens’ personal data.
Specifically, the Working Party stated that it “regrets the lack of concrete assurances” in the Privacy Shield that bulk and indiscriminate surveillance would not take place with Europeans’ information transferred to the U.S., despite assurances from the Office of the Director of National Intelligence that this wouldn’t occur, and that it “would have expected stricter guarantees concerning the independence and the powers of the Ombudsperson mechanism.”
Notwithstanding these concerns, the Working Party is very interested to see how the new framework will operate in practice once U.S. organizations are able to self-certify with the Department of Commerce on August 1, and thus will wait until the first joint annual review to raise specific objections. According to the Working Party, this review will be a “key moment for the robustness and efficiency of the Privacy Shield mechanisms to be further assessed.” Specifically, the WP29 promised that, during this initial review, “the national representatives of the WP29 will not only assess if the remaining issues have been solved but also if the safeguards provided under the EU-U.S. Privacy Shield are workable and effective.”
The WP29 went on to say that “[t]he results of the first joint review regarding access by U.S. public authorities to data transferred under the Privacy Shield may also impact transfer tools such as Binding Corporate Rules and Standard Contractual Clauses.” Until then, however, the Working Party has committed itself to “proactively and independently assist data subjects” and work to provide guidelines to data controllers as to their obligations under the Privacy Shield.
The Working Party acts as an independent advisory group made up of representatives of each of the EU’s national data protection authorities (DPA). Although the opinions of the Working Party do not have the force of law, they serve as a strong indication of the ways in which the European DPAs will react to certain data protection issues; in the case of the Privacy Shield, only time will tell.
To find out how your company can become Privacy Shield-compliant and take advantage of the nine-month grace period before the September 12, 2016, deadline, please contact one of our data privacy attorneys below.