News Archives

Thursday, July 28, 2016

Art 29 WP Remains Concerned about Privacy Shield

On July 26, the Article 20 Working Party issued a statement praising improvements in the Privacy Shield mechanism secured by the European Commission over the past three months, but also indicating that “a number of concerns remain regarding both the commercial aspects and the access by U.S. public authorities to data transferred from the EU.”  As examples of concerns with respect to commercial activities, the Working Party cited the lack of: (a) specific rules on automated decisions; (b) a general right to object; and (c) clarity as to how the Privacy Shield Principles apply to processors.  With respect to access by U.S. public authorities, the WP29 remains uncomfortable concerning the independence and powers of the Ombudsperson and regrets the lack of concrete assurances that mass and indiscriminate surveillance does not take place.

These concerns notwithstanding, the Working Party stated that the robustness and efficiency of the Privacy Shield mechanism will be best assessed during the first joint annual review, insofar as all members of the review team “shall have the possibility to directly access all the information necessary” to carry out the review.  The WP29 concluded its statement with a commitment to “proactively and independently” assist data subjects with exercising their rights under the Privacy Shield mechanism.  In addition, the Working Party stated that it would soon provide guidance on the mechanism to both data controllers and to citizens, along with its suggestions on the composition of the EU centralized body envisaged by the agreement and the practical organization of the joint annual review.

Contrary to numerous reports in the press, a careful reading of the Working Party statement reveals that they did not approve or endorse the Privacy Shield framework, nor did they say that they would not challenge the adequacy of the agreement for at least one year.  With the Commission formally adopting the mechanism on July 12, the WP29, as an advisory body, was not in a position to either approve or reject it.  Given the independence of data protection authorities, as well as their obligations to protect the privacy of data subjects, the Working Party was also not in a position to pledge to refrain from taking such steps as may be necessary to fulfill their responsibilities.  Buttressed by the Schrems ruling that affirmed their independence even in the face of an adequacy decision, one or more of the EU’s DPAs, such as those in Germany, may not be as patient as the Working Party appears to be.

A fairer summation of the position of the Working Party is that its assessment of Privacy Shield remains incomplete, that it looks forward to completing that assessment during the joint annual review, and that in the meantime it will vigorously and independently investigate any complaints from data subjects about how their personal data is handled under the mechanism. To read this as a "tepid endorsement," "temporary green light" or "moratorium" on challenging Privacy Shield reflects wishful thinking.

It is true that Isabelle Falque-Pierrotin, chairman of the Article 29 Working Party, stated verbally at a press conference on July 26 that the EU DPAs would not launch legal action on their own initiative in the next year.  However, this is not to say that they may not be involved in a legal action brought by another party, such as an individual, a Member State, the EU Parliament or another EU institution, that challenges the Privacy Shield mechanism.  Should a complaint from an individual come forth, such as the one promised by Max Schrems, they may feel obligated to request guidance from the courts as to the adequacy of Privacy Shield.

No comments:

Post a Comment