EU-US Privacy Shield: The Article 29 Working Party raises its concerns
It is a little over six months since the CJEU invalidated the European Commission's Safe Harbor Decision. Since that fateful date the EU and the US have agreed upon the EU-US Privacy Shield ("Privacy Shield") an alternative framework for transatlantic data flows. With the publication of the Privacy Shield legal documentation the Commission provided its draft adequacy decision in respect of the level of protection of personal data offered by a third country, i.e., the US. However, before the EC can finalise its adequacy decision of the Privacy Shield it needs to follow a comitology procedure which includes obtaining an opinion from the Article 29 Working Party ("WP29"). Yesterday the WP29 gave its opinion.
The WP29's press conference started with its Chair, Isabelle Falque-Pierrotin (who is also head of the CNIL, the French Data Protection Authority) announcing that the WP29's first reaction to the Privacy Shield was "positive". Despite this upbeat start Ms Falque-Pierrotin went on to discuss the shortcomings of the proposed transfer mechanism and its documentation. The WP29 considers that the format of the Privacy Shield documentation, which consists of the draft adequacy decision and its seven annexes, is too complex and features a number of inconsistencies. The WP29 in formulating its opinion reviewed all of the legal documentation and had multiple meetings with the Commission, the US administration as well as additional meetings with US representatives in Washington in order to seek clarification about a number of aspects on the Privacy Shield.
The list of legislation and case law that the WP29 has regarded while producing its opinion on the Privacy Shield somewhat demonstrates the size of the challenge for US businesses, a continent with an historically and culturally different approach to privacy and data protection compared to Europe. The backdrop for the WP29's opinion included the Data Protection Directive 95/46/EC; Article 8 European Convention of Human Rights (right to respect for one's private and family life); Articles 7, 8 and 47 EU Charter of Fundamental Rights (respectively the respect for private life, the protection of personal data and the right to an effective remedy and fair trial); as well as the all important Schrems judgment, which Ms Falque-Pierrotin highlighted "insists on the posture we should take which is rather demanding". The press conference and the WP29's opinion also underline how the WP29 awaits "the forthcoming rulings of the CJEU (Court of Justice of the European Union) in cases regarding massive and indiscriminate data collection". Furthermore, with the text of General Data Protection Regulation ("GDPR") now agreed, the WP29 has stated that if the Privacy Shield adequacy decision is adopted then the Privacy Shield would need to be reviewed soon after the GDPR comes into force to make sure that the Privacy Shield reflects the greater level of personal data protection the GDPR provides to individuals.
The WP29 has examined both the commercial aspects of the Privacy Shield and the possible exemptions to the principles of the Privacy Shield in respect of national security, law enforcement and public interests. With regard to the commercial aspects the WP29 does not consider that the Privacy Shield at present provides an "essentially equivalent" level of protection to that which the EU framework gives to a data subject. This is because some key data protection principles such as data retention are not expressly provided for in the Privacy Shield nor in the annexes and the application of the purpose limitation principle is considered unclear. Reflecting upon the WP29 opinion that it does not expect "a mere and exhaustive copy of the EU framework" but it does require an "essentially equivalent" level of protection, it is difficult to ascertain any level of flexibility for the EU-US regime.
Besides concerns about onward transfers the WP29 highlights its unease about individuals' ability to exercise their rights. The WP29 considers that in practice the redress mechanism may be too complex for EU individuals and thus ultimately be ineffective. This is a more legitimate concern from the WP29 given individuals with little or no legal background will be representing themselves across jurisdictions and most likely via online written communications rather than in person or via oral communication. The WP29 has somewhat volunteered EU DPAs to act as the "natural contact point" where any redress is required by EU individuals.
As for derogations for national security purposes the WP29 emphasises how the US Office of the Director of National Intelligence does not exclude massive and indiscriminate collection of data that originates in the EU. Reiterating its own position, the WP29 forthrightly states that massive and indiscriminate collection of data "can never be considered as proportionate and strictly necessary in a democratic society". The WP29 inevitability acknowledges that today's democratic society is extensively challenged by terrorism which does increase pressure on surveillance and intelligence services. Nonetheless given the lack of "conclusive jurisprudence" on the collection of personal data and its use for the "purpose of combating crime", it is for this reason that the WP29 awaits the CJEU's decisions on data retention, referred to above, which are expected later this year.
While the actual substance of today's WP29 opinion may not have come as a surprise, especially in light of last week's events including the "leak" of the opinion by German DPAs as well as submissions made by Ms Falque-Pierrotin at the Global Privacy Summit in Washington, it may well prove disappointing for many businesses. Even though the WP29 opinion is not binding it is persuasive and well respected. With the overall impression that there is a considerable amount still to do in order that the Privacy Shield meets an "essentially equivalent" standard of data protection this formal announcement does not create any immediate relief for businesses needing a suitable transatlantic data transfer mechanism apart from model clauses and Binding Corporate Rules.
In the Q&A session following the WP29's announcement Ms Falque-Pierrotin was bombarded with questions about the validity of the other transfer regimes. She asserted that the reliance upon Model Clauses and BCRs to the US are valid for the moment. Post Schrems the CNIL and German DPAs have asked data controllers and processors about the alternative transfer mechanisms which they now rely upon. In contrast the UK's ICO at the time of writing maintains its pragmatic approach that is contained in its Data transfers to the USA and Safe Harbor - interim guidance which confirms that while the Privacy Shield is in a state of flux it will not "rush" to use its "enforcement powers" and advises businesses not to "rush" their decision about which mechanisms to rely upon.
Standards, standards. Are the WP29 being too exacting? Former FTC Commissioner Julie Brill believes that Privacy Shield is good enough. The Commission certainly has been given a clear roadmap by the WP29 to bridge the perceived gap. Regardless of cultural differences with respect to data protection, a pragmatic and workable solution is much needed to enable today's borderless data flows and the EU's Digital Single Market strategy. June 2016 is the Commission's proposed deadline for its adequacy decision on the Privacy Shield. Accordingly to Vera Jourova, the Commission is going to work "swiftly" to include the WP29's "useful recommendations … in its final decision". Can the "transatlantic chaos" be stilled? The clock continues to tick.
 The cases referred to are i, Tele2 Sverige C-203/15 and Davis & Ors C-698/15 and ii, Validity of the PNR Canada agreement Case A-1/15