On April 13, 2016, the body of European Data Protection Authorities (DPAs)—the "Article 29 Working Party" (WP29)—issued its opinion on the new EU-U.S. Privacy Shield.1 The WP29 acknowledged that progress has been made with the Privacy Shield, but called for several significant changes to the shield before it can be found to provide protection that is "essentially equivalent" to EU data protection law. Importantly, the WP29 also concluded that it will not examine the validity of EU Model Contracts and Binding Corporate Rules (BCRs) until after an adequacy determination has been made regarding the Privacy Shield. Those data transfer mechanisms remain valid for now.
The WP29 opinion is not legally binding, but its issuance is a key step on the road to formal adoption of the Privacy Shield. The opinion holds important political value, as it gives an indication as to how DPAs would evaluate data transfers made under the Privacy Shield. If ultimately approved by the EU Commission, the Privacy Shield will provide a legal basis for data transfers from the EU to the U.S.
More information on the Safe Harbor framework and Schrems can be found here.
Background
The Privacy Shield was negotiated by the EU Commission and the U.S. Department of Commerce to provide a legal basis for companies in the U.S. to receive personal data from the EU, in compliance with EU data transfer requirements. It was announced by the EU and U.S. on February 2, 2016, as a replacement for the Safe Harbor framework that was invalidated by the EU Court of Justice (CJEU) in its Schrems judgment of October 6, 2015.2 The Privacy Shield documentation that the WP29 opined on was published shortly afterwards.3 More information on the Privacy Shield documentation can be found here.
Key Points of the WP29 Opinion
The following are some of the key takeaways:
Changes to the Privacy Shield
The WP29 finds that the Privacy Shield generally improves the level of protection for EU citizens' personal data compared to the invalidated Safe Harbor framework. However, the WP29 calls on the negotiators of the Privacy Shield to make the following improvements before the shield can be deemed acceptable:
- Better align Privacy Shield principles with EU data protection principles. The Privacy Shield principles are similar to, but do not fully overlap with, EU data protection principles. The WP29 concludes that the Privacy Shield principles should follow the EU data protection principles more closely. For instance, the Privacy Shield should explicitly provide for a data retention principle, as is provided under EU data protection law. Also, the onward transfer principle in the Privacy Shield should include an obligation for companies to assess the level of data protection provided by the country of the onward data transfer recipient.
- Simplify redress mechanisms. Under the Privacy Shield, individuals can seek redress by complaining directly to the Privacy Shield company or to their national DPA. Individuals also have access to an alternative dispute resolution mechanism selected by the company. In addition, as a last resort and under certain conditions, individuals have access to a Privacy Shield panel—an arbitration mechanism that can make binding decisions against companies.
The WP29 welcomes the fact that the Privacy Shield provides more redress mechanisms for EU individuals in comparison to the Safe Harbor framework. However, the WP29 is concerned that the redress mechanisms are too complicated to be effective. Also, it finds that the Privacy Shield should focus more on the role of the national DPAs as the key points of contact for EU individuals. - Limit bulk data access by the U.S. government. The Privacy Shield contains assurances from the U.S. government that data access by U.S. authorities is subject to clear limitations, safeguards, and oversight mechanisms. It also provides for the creation of an ombudsperson within the U.S. Department of State to handle complaints related to data access by national intelligence authorities.
However, the WP29 concludes that this is not sufficient to meet the EU standard for privacy protection in the context of surveillance by public authorities (described in the "European Essential Guarantees"4 document that the WP29 published today together with the opinion). In particular, the WP29 is concerned that bulk data collection for national security purposes remains possible under the Privacy Shield. The WP29 also questions the powers and independence of the ombudsperson. - Revision clause. The Privacy Shield has been prepared under the current EU data protection legal framework (i.e., EU Data Protection Directive 95/46/EC). However, the EU Data Protection Directive will soon be replaced by the EU General Data Protection Regulation (GDPR). The GDPR is expected to be adopted on April 14, 2016, and become effective by Spring 2018. More information on the GDPR can be found here. Since the GDPR will substantially tighten EU data protection rules, the WP29 suggests that the Privacy Shield should contain a revision clause allowing for the Privacy Shield to be adjusted to the GDPR's standards once the GDPR comes into force.
- Eliminate inconsistencies and complexity of Privacy Shield documents. The Privacy Shield is composed of various documents, including letters, annexes, and the draft "adequacy decision" by which the EU Commission will give effect to the Privacy Shield. The WP29 suggests that these documents should be consolidated in a more easily digestible format to make them more understandable and to eliminate inconsistencies between them.
EU Model Contracts and BCRs Are Still Valid
After the invalidation of the Safe Harbor by the Schrems judgment, the WP29 announced that it would examine the implications of the judgment for other data transfer mechanisms, i.e., the EU Model Contracts and BCRs. However, the WP29 stated today that it will wait to make that assessment until the EU Commission has adopted its "adequacy decision" to give effect to the Privacy Shield. During the press conference, Ms. Falque-Pierrotin, chair of the WP29, said that for now, EU Model Contracts and BCRs are still valid instruments to legitimize international data transfers of EU personal data.
Next Steps
The WP29's approval is not a prerequisite for the formal adoption of the Privacy Shield, but it has important political value. The WP29 highlights the bases on which the Privacy Shield may be challenged, if it is adopted in its current form. The Privacy Shield will now be reviewed by a committee of representatives of the EU member states (i.e., the Article 31 Committee) before being presented to the College of EU Commissioners for final approval. According to the WP29, this is expected to occur in June 2016 or September 2016. The U.S. government will work in parallel on the practical implementation of the Privacy Shield.
We will continue to monitor related developments closely and update you on any significant news.
Wilson Sonsini Goodrich & Rosati routinely helps clients manage risks related to the enforcement of privacy and data protection laws globally, along with advising clients on EU privacy and data security issues. For more information, please contact Cédric Burton, Christopher Kuner, Lydia Parnes, Michael Rubin, Chris Olsen, or another member of the firm's privacy and data protection practice.
Sarah Cadiot, Sára G. Hoffman, and Laura De Boel contributed to the preparation of this WSGR Alert.
