The Commission gave it the official (if lukewarm) ok in October, following the first annual review. Last week it was time for the Article 29 Working Party (WP29) to have its say. The overall verdict: OK but could do better. This is backed up by a threat to mount a legal challenge. But whilst this is more of a story than the Trump announcement earlier this year (see my earlier post), Privacy Shield organisations or those considering it should not lose any sleep.
The Opinion starts with the usual lines about welcoming progress before we get down to the juicy stuff. A great improvement on Safe Harbor, welcome the Department of Commerce's commitment and dedicated staff, welcome increased transparency on surveillance and declassification of certain documents etc etc. It reads like a huge 'but' is coming.
"Could do better..."
The WP29 split their objections into two categories: they are not happy with certain aspects on the commercial side, and they have major concerns about state surveillance.
a) Commercial aspects
- WP29 bemoaned the lack of guidance both for organisations certifying to PS and for individuals trying to assert their rights. The Department of Commerce (DoC) retorted that it was principles-based and they wanted organisations to consider the principles rather than copy and paste official text.
- WP29 wants clear guidance for individuals and organisations on how the scheme works. A criticism that could equally be levelled at the pace of WP29's GDPR releases!
- WP29 complained the DoC is not sufficiently checking certifications or ongoing compliance. Whilst DoC reviews privacy notices, it does not check vendor contracts, test a certified organisation's statements nor undertake any proactive compliance monitoring.
- The certification process, which may take a month, requires organisations to publish their privacy notice once they apply; likewise recertifying organisations are given a month's grace. WP29 did not like the idea that the Privacy Shield site would thus be temporarily listing organisations as certified when they were not.
- It transpires there is a major misunderstanding between the EU and US on what constitutes HR data. In DoC's view it only applies to employees of the exporting organisation. One can imagine the stunned silence in the room: "Of course, once it gets transferred to the US, information about those employees stops being HR data, right?"
b) State surveillance
- US authorities make assertions that collection of data under the Foreign Intelligence Surveillance Act s702 is no longer generalised. However, the WP29 had an issue with the lack of evidence or binding commitments to back this up.
- WP29 sees the upcoming deadline to re-authorise s702 as an opportunity to add safeguards such as a 'reasonable suspicion' criterion or oversight body. This seems unlikely given the lack of current appetite in Congress. It won't help that Trump announced the US can keep warrantless surveillance under s702 even if Congress fails to extend it.
- WP29 would like the Privacy and Civil Liberties Oversight Board (PCOLB) to update is report on mass surveillance under s702 and release its currently privileged report on Presidential Policy Directive 28.
- Whilst it rates the PCLOB highly, WP29 laments the fact there are many vacancies on the board (actually only currently one sitting member). Given the vast number of senior posts in the current administration that remain unfilled, this is likely to remain a problem.
- The same gripe was raised against the Ombudsman, which is yet to be appointed. The WP29 also wanted its exact powers and procedures to be clarified.
The Opinion finishes with 20 or so pages of facts that came out of the review interviews, which provide an interesting insight to how the scheme is actually working in practice.
"We may challenge"
The Opinion starts and ends with an invitation to the Commission to rethink the adequacy decision backed up by a threat: the serious concerns must be addressed at the latest by 25 May 2018, the remaining concerns must be addressed at the latest by the second joint review. Failing this, the WP29 will seek a CJEU preliminary ruling.
Stern words. The WP29 represents all EU DPAs so gives an insight into how they perceive Privacy Shield. It also will be the future EDPB and guardian of the GDPR. The WP29 may also be trying to assert its role as overseer of EU data protection following criticism in the Schrems decision.
That said, it is the Commission, not the WP29, which rules on the adequacy of Privacy Shield. The WP29's role stems from a recital which states participation in the review meeting is "open to" it; the Opinion has no legal status. Given the political nature of Privacy Shield, the importance of transatlantic data flows and the Commission's pronouncement of support it is hard to see the Commission revisiting its finding. One would expect both the Commission and WP29 will have more pressing matters on their hands come May next year.
A referral to the CJEU will first have to go via a national court which may refuse the referral, or certainly cause delay whilst the specific questions are fought over (witness the upcoming battle in the Schrems 2 referral). The General Court could strike it down, as it just has the Digital Rights Ireland challenge. Then there is the 18-24 month delay at the CJEU itself. By then the third and probably fourth annual reviews will have taken place and who knows what the landscape will look like then? Some of the promising new transfer mechanisms, such as codes of conduct, may even be in place.
So our advice to Privacy Shield certified organisations or those that utilise it is not to panic. Keep an eye on developments but at the moment business should continue as usual. As always, watch this space!