In March 2016, the EU Commission issued a draft decision stating that the Privacy Shield agreement negotiated between US officials and the EU Commission in January 2016, as a replacement for the former Safe Harbor agreement, offered adequate protection for EU citizens’ personal data transferred to and processed in the US (see article here). However, this was subject to review by a number of EU bodies. Its decision has now fallen at that first hurdle.
The detailed document setting out the result of these negotiations has been considered by the Article 29 Working Party (WP29) (composed of senior data protection officials from the EU member states set up to monitor developments in EU data protection law).
Although it considers the Privacy Shield represents an improvement on the Safe Harbor scheme in some respects, the WP29 has rejected the EU Commission’s draft adequacy decision on a number of grounds:
- The proposed means of recourse available to EU citizens to exercise their rights are too complex for them to use in practice, and so are not effective.
- The establishment of an Ombudsman as a redress mechanism, while welcome, is not an adequate system as it lacks appropriate powers and is not sufficiently independent.
- “Massive and indiscriminate” collection of personal data by US security services remains possible as it was not excluded by the US Director of National Intelligence (it was positively asserted this would continue for the purposes of national security).
In this last respect, with regard to the fundamental rights of EU citizens such as privacy of personal data, interference with those rights may only be permitted where it is deemed proportionate and strictly necessary. The WP29 does not consider that mass and indiscriminate surveillance can be justified in this way. In addition, the collection of personal data must always be subject to “comprehensive oversight”, something the WP29 considers is lacking in the US.
These considerations must also be seen in light of the General Data Protection Regulation, the replacement for the Data Protection Directive of 1995, which provides a higher level of regulation than before in the area of Data Protection. This Regulation came into force on 14 April 2015.
What to expect
It is now up to the EU Commission to resolve the WP29’s concerns. Given the nature of the points raised there must be some doubt whether, politically, the US government will be willing to soften its position on national security to satisfy the EU (particularly with a presidential election only a few months away).
In terms of enforcement of continuing data transfers to the US, so far the approach appears to be “wait and see”. However, given the views of the WP29, it may be that national data protection authorities will soon feel compelled to begin to take action.
The next step will be for the EU Commission to consider the views of the WP29 alongside the views of the committee of national data protection authorities before submitting a final position to the EU Parliament for debate and adoption. We will report further as matters develop.
Content is for general information purposes only. The information provided is not intended to be comprehensive and it does not constitute or contain legal or other advice. If you require assistance in relation to any issue please seek specific advice relevant to your particular circumstances. In particular, no responsibility shall be accepted by the authors or by Abbiss Cadres LLP for any losses occasioned by reliance on any content appearing on or accessible from this article. For further legal information click here.
Circular 230 disclosure
To ensure compliance with requirements imposed by the IRS and other taxing authorities, we inform you that any tax advice contained in this article (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties that may be imposed on any taxpayer or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.