News Archives

Friday, December 8, 2017

WP29 Sets Deadlines for Privacy Shield Improvements

At a plenary meeting on November 28, the Article 29 Working Party adopted a 38-page opinion on the effectiveness of the Privacy Shield program, following the first annual joint review conducted by the European Commission in Washington DC in September 2017.  Eight representatives of the Working Party took part with the Commission in the review, including both DPAs and expert staff.  The Commission issued its own report on the review on October 18, finding that Privacy Shield continued to ensure an adequate level of protection, while noting a number of recommendations for improvements.

As might be expected, the Working Party opinion, while noting that Privacy Shield represented a significant advance over the invalidated Safe Harbor framework, was more forceful in calling for these and other improvements to be instituted by the U.S. government within specific time frames:
  • May 25, 2018 was set as the deadline for development of an action plan (a) to demonstrate that all of the Working Party's concerns will be addressed; (b) to appoint the independent Ombudsperson and clarify the rules of procedure of this office; and (c) to fill the vacancies in the Privacy and Civil Liberties Oversight Board (PCLOB).
  • The second joint annual review was set as the deadline for addressing the remaining concerns of the WP29.
Barring remediation of its concerns within these time frames, the opinion states that members of the Working Party "will take appropriate action, including bringing the Privacy Shield Adequacy decision to national courts for them to make a reference to the CJEU for a preliminary ruling."  It is worth noting that: (a) the track record of the WP29 with respect to previous warnings of imminent enforcement actions is less than compelling; and (b) while this latest deadline-setting ups the ante by threatening the existence of Privacy Shield itself as opposed to targeting particular companies, the reference to the CJEU is likely to take a considerable amount of time, as witnessed by the Irish High Court's current referral of the Schrems case.

Of particular interest in the WP29 opinion is the prominence it gives to concerns about HR data. The Department of Commerce began operations of the Privacy Shield program by allowing companies acting as data processors for EU companies with respect to employee data to certify that they were processing HR data and relied upon EU data protection authorities as their independent recourse mechanism.  After a few months, the DOC changed course and began treating such transferred data as commercial data, requiring public disclosure of the relevant privacy policy and not requiring that EU data protection authorities be the independent recourse mechanism.  The WP29 rejects this interpretation of "HR data" and calls for rectification by the DOC.  Where this leaves companies certifying or re-certifying HR data under Privacy Shield is unclear, but a conversation with the DOC Privacy Shield team - said to be ten in number - would be advisable.