WP29 Releases First Joint Review of Privacy Shield

The Article 29 Working Party (WP29) recently released an opinion from its first joint review of the Privacy Shield. The WP29 focused on “commercial aspects of the Privacy Shield” and “government access to personal data transferred from the EU for the purposes of Law Enforcement and National Security.”

The WP29 was pleased with U.S. efforts on the commercial aspects to “set up a comprehensive procedural framework to support the operation of the Privacy Shield,” including development of procedures for self-certification. However the WP29 noted lingering issues:

• companies need clear requirements for compliance;
• individuals must be informed of their rights under the Privacy Shield;
• Privacy Shield should provide extra protection to personal “HR data” in all circumstances;
• U.S. agencies need to conduct routine compliance investigations;
• Privacy Shield must better distinguish processors from controllers;
• guidelines on automated-decision making/profiling remain vague; and
• adjustment to the re-certification process is needed to avoid gaps in data protection.

In discussing government access to information under the Privacy Shield, the WP29 approved of increased U.S. transparency on its surveillance powers, yet noted concerns about:

• the potential for government access to massive and indiscriminate amounts of data under current U.S. procedures;
• standing of EU citizens to challenge surveillance in U.S. courts;
• the need for appointment of a permanent, independent Ombudsperson with an ability to remedy illegal surveillance.

The opinion ended with a call to the Commission and the U.S. to “restart discussions” to address these concerns. The WP29 warned that failure to address its concerns would cause it to “bring the Privacy Shield Adequacy decision to national courts for them to make reference to the [Court of Justice of the EU] for a preliminary ruling.”

TIP: Pay close attention to the continuing legal development of the Privacy Shield and the action taken by U.S. authorities and the Commission to address these concerns.