Question: When is a shield not a shield? Answer: When it still looks a wee bit like Safe Harbor!
The Article 29 Data Protection Working Party (“the A29WP“) has, at a conference in Brussels today (13 April 2016), given its opinion (the “Opinion“) on the Commission proposed Privacy Shield.
What is the Privacy Shield and why does it matter?
On 6 October 2015, in a landmark ruling, the European Court of Justice in the case of Maximillian Schrems v Irish Data Protection Commissioner (often referred to as the Schrems Facebook case), the ECJ declared the then data transfer mechanism, the Safe Harbor scheme, used by almost every US IT Company, to be invalid.
Safe Harbor was an agreed benchmark which when adhered to would protect the rights of European citizens when their personal data was being transferred to signatories of the scheme in the US.
The Privacy Shield is the proposed replacement mechanism for the exchange of this transatlantic data. In broad terms the proposed Privacy Shield will provide a mechanism via an ombudsman in the US to handle complaints made by EU citizens about the handling of their data; along with commitments from US intelligence agencies that the personal data of European citizens would not be subject to mass surveillance. Like its predecessor, the proposed Privacy Shield will operate on an annual self-certification scheme basis with oversight being provided by Department of Commerce and enforced by the US Federal Trade Commission.
Who are A29WP and why does their Opinion matter?
The A29WP are an advisory body made up of each of the EU Member States data protection regulators. They have today given their Opinion on the proposed EU-US Privacy Shield and whilst it is non-binding, their Opinion will weigh heavily on any decision by the Commission to approve (or otherwise) the Privacy Shield.
So what did the A29WP conclude about the proposed Privacy Shield?
Documents leaked last week (rather ironic to talk of leaks here!) more than hinted that the A29WP were not convinced of the merits of the Privacy Shield and today at the Press Conference in Brussels this was, to a certain extent, confirmed.
The A29WP felt that it was important to note that there had been “important improvements” on the Safe Harbor mechanism with greater transparency in the Shield and that the rights of the EU citizens’ rights were better framed and the issue of surveillance was dealt with (although not enough). They were however critical of the complexity of the solution proposed – the solution being a combination of documents, non-binding letters and annexes which failed to be consistent in their use of definitions and so on. As such the A29WP felt that the solution in its current form does not provide a single point of reference and therefore is not an easily understandable document.
Isabelle Faique-Pierrotin, the French Data Protection Regulator, and chair of the A29WP, reading from a prepared statement, expressed concerns over the possibility of the “massive and indiscriminate” bulk collection of data relating to EU citizens by US authorities and believed that “we don’t have enough security [or] guarantees in the status of the ombudsperson and in their effective powers to be sure that this is really an independent authority.”
The A29WP expressed their concerns that the data protection principles are not adequately reflected in the Shield. Ms Faique-Pierrotin highlighted in particular their concerns with regards to the lack of clarification of the purpose limitation principle which raises the possibility for the further re-use and transfer of the data collected; and secondly the data retention principle is not expressly mentioned. The avenues of recourse are numerous and whilst missing from Safe Harbor the avenues are difficult for the end user to find and choose the best option. They believe the national DPA be the natural option.
There is urgent need for clarification and they believe integrated into the Shield should be a revision mechanism to take into account the new GDPR regime as the Privacy Shield is built under the current data protection legislative framework and in two years this will change and therefore the Shield should be reviewed to accommodate the new standards set out in the GDPR.
Importantly Ms Faique-Pierrotin set out the A29WP’s four essential guarantees:
- Processing should be based on clear precise and accessible rules so that an individual will be able to see what might happen if his data may be accessed by a public body and in particular the US intelligence services;
- Necessity and Proportionality needs to be demonstrated;
- An independent oversight mechanism must be established and must have sufficient independence to carry out the checks; and
- Effective remedies to individuals to defend their rights before an independent body must be available.
With this in mind, their main concern was in relation to the massive and indiscriminate bulk collection of data and the lack of independence of the ombudsman.
In conclusion, whilst there have been improvements and a great step forward the concerns and clarifications which have not been addressed resulted in the A29WP identifying that there was still some work to do to improve the Privacy Shield to ensure that the Privacy Shield is essentially equivalent to the EU. Time will tell whether the Commission will take on board the A29WP’s Opinion.