Following the publication by the European Commission of the draft adequacy decision on the EU-U.S. Privacy Shield and related documents, the Article 29 Working Party has conducted its assessment in light of the applicable EU data protection legal framework as set out in Directive 95/46/EC, as well as the fundamental rights to private life and data protection as enshrined in Article 8 of the European Convention on Human Rights and Articles 7 and 8 of the Charter of Fundamental rights of the European Union.
The objective of the Working party is to make sure that an essentially equivalent level of protection is maintained when personal data is processed subject to the provisions of the Privacy Shield.
Overall, the Working Party welcomes the significant improvements brought by the Privacy Shield compared to the Safe Harbour decision. In particular, the insertion of key definitions, the mechanisms set up to ensure the oversight of the Privacy Shield list and the now mandatory external and internal reviews of compliance are a positive step forward.
However, the Working Party has strong concerns on both the commercial aspects and the access by public authorities to data transferred under the Privacy Shield.
As a preliminary remark, the WP29 regrets that the Privacy Shield is constituted by a various set of documents and that therefore, the principles and guarantees afforded by the Privacy Shield are set out in both the adequacy decision and in its annexes making the information both difficult to find, and at times, inconsistent. This contributes to an overall lack of clarity.
Then, the Working Party recalls that the Privacy Shield adopted on the basis of Directive 95/46/EC needs to be consistent with the EU data protection legal framework, both in scope and terminology.
In this regard, a review of the text of the Privacy Shield will have to take place after the entry into application of the General Data Protection Regulation in the course of 2018, in order to ensure the higher level of data protection offered by the Regulation is followed in the Privacy Shield.
Concerning the commercial aspects, the WP29 first of all considers that some key data protection principles as outlined in European law are not reflected in the draft adequacy decision and the annexes, or have been inadequately substituted by alternative notions. In particular, the application of the purpose limitation principle to the data processing is unclear. The Working Party is also concerned that the data retention principle is not expressly mentioned and cannot be clearly construed from the current wording of the text. Furthermore, there is no specific wording on the protection that should be afforded against automated individual decisions based solely on automated processing.
Because the Privacy Shield will also be used to transfer data outside the US, the WP29 insists that onward transfers from a Privacy Shield entity to third country recipients should provide the same level of protection on all aspects of the Shield (including national security) and should not lead to lower or circumvent EU data protection principles.
Besides, although the Working Party notes the additional recourses made available to individuals to exercise their rights, it is concerned that the new redress mechanism in practice may prove to be too complex, difficult to use for EU individuals, especially in a different language, and therefore ineffective. Further clarification of the various recourse procedures are therefore needed; in particular, where they are willing, national EU data protection authorities could be considered as a natural contact point for the EU individuals in the various procedures, having the option to act on their behalf.
Concerning access by public authorities to data transferred under the Privacy Shield, the Working Party regrets that the representations of the U.S. Office of the Director of National Intelligence (ODNI) do not provide sufficient details in order to exclude massive and indiscriminate collection of personal data originating from the EU. The WP29 recalls its longstanding position that massive and indiscriminate surveillance of individuals can never be considered as proportionate and strictly necessary in a democratic society, as is required under the protection offered by the applicable fundamental rights. The WP29 takes note that there is a tendency to collect ever more data on a massive and indiscriminate scale in the light of the fight against terrorism. Given the concerns this brings for the protection of the fundamental rights to privacy and data protection, the WP29 looks to the forthcoming rulings of the CJEU in cases regarding massive and indiscriminate data collection.
Furthermore, the Working Party welcomes the establishment of an Ombudsperson as a new redress mechanism. This may constitute a significant improvement for EU individuals’ rights with regards to U.S. intelligence activities. However, the WP29 is concerned that this new institution is not sufficiently independent and is not vested with adequate powers to effectively exercise its duty and does not guarantee a satisfactory remedy in case of disagreement.
As a conclusion, the Working Party notes the improvements the Privacy Shield offers compared to the invalidated Safe Harbour decision. But, given the concerns expressed and the clarifications asked, it urges the Commission to resolve these concerns and provide the requested clarifications in order to improve the draft adequacy decision and ensure the protection offered by the Privacy Shield is indeed essentially equivalent to that of the EU.