European Commission may need to revise the draft proposal to meet the concerns expressed by the Article 29 Working Party.
As we reported in a previous LawFlash (European Commission Releases Details of New EU-US Privacy Shield), on February 29, 2016, the European Commission published a draft adequacy decision to establish the EU-US Privacy Shield, the replacement for the invalidated Safe Harbor program that previously allowed transfers of personal data between the European Union and certified organizations in the United States.
The publication of the draft adequacy decision was initially welcomed by the Article 29 Working Party, which advises the European Commission on data protection matters. Following a review of the documentation, the Article 29 Working Party has given its opinion on the draft EU-US Privacy Shield and expressed significant concerns that the draft proposal does not give enough protection to European citizens because “. . .massive and indiscriminate data collection is not fully excluded by the US authorities and. . .the powers and position of the Ombudsman have not been set out in more detail.” The Article 29 Working Party is concerned that a number of important data protection principles have not been expressly incorporated within the EU-US Privacy Shield, including the data protection limitation and purpose limitation principles. The Article 29 Working Party also identifies that there is no mechanism for updating the EU-US Privacy Shield once the General Data Protection Regulation comes into force, which is now likely to be mid-2018.
The Article 29 Working Party has not, however, rejected the proposal, but has instead requested that the European Commission clarifies the drafting of the proposal and resolves the outstanding concerns about adequately protecting personal data. Isabelle Falque-Pierrotin, chair of the Article 29 Working Party and head of France’s data protection authority, CNIL, recognized during a press conference that the EU-US Privacy Shield was a “great step forward” compared to the previous Safe Harbor program.
The European Commission is not bound by the Article 29 Working Party’s opinion and could still, therefore, formally adopt the draft adequacy decision notwithstanding the Article 29 Working Party’s concerns. A more likely outcome is that the European Commission will now revise its decision in order to address the Article 29 Working Party’s concerns. If so, this is likely to require further negotiations with the US authorities. Accordingly, it seems unlikely that the EU-US Privacy Shield will be adopted in June 2016 as originally anticipated.
In the meantime, companies should continue to rely on the Standard Contractual Clauses and Binding Corporate Rules for their EU-US data transfers.