EU-U.S. Privacy Shield May Not Be Up After All


Bad news for companies relying on transatlantic data flows as, once again, the transfer of personal data from Europe to the United States is called into question by the Article 29 Working Party (the “Working Party”), an influential committee of the EU privacy regulators. Ever since the EU-U.S. Safe Harbor Framework was declared invalid by the Court of Justice of the European Union in October 2015, companies have had to find alternative ways to legally transfer personal data. On 29 February 2016, the EU Commission proposed the "EU-U.S. Privacy Shield" as a replacement to the Safe Harbor Framework and a potential solution.

The Privacy Shield has faced intense scrutiny from various stakeholders, including regulators, politicians and members of civil society.  These interested parties have raised doubts regarding the validity of the new framework.

According to the Working Party's latest opinion, it considers that the current draft of the Privacy Shield will not provide adequate protection for personal data transferred to the US.  While it welcomes what it calls “significant improvements” on the Safe Harbor Framework, the Working Party has expressed concern about both the “commercial aspects” and access by public authorities to data transferred under the Privacy Shield.  It has asked the EU Commission to resolve its concerns, to clarify some points and to improve the draft adequacy decision.

The main issues raised by the Article 29 Working Party are:

  • lack of clarity: the Privacy Shield comprises various sets of documents making them difficult to review which are also not consistent;
  • lack of data protection principles: certain aspects of EU data privacy law are not reflected in the Privacy Shield, including principles relating to purpose limitation and data retention;
  • complexity of the redress mechanisms: while additional resources will be made available to individuals to exercise their rights, the Working Party is concerned that the mechanism may prove too complex;
  • lack of representations: the representations of the US Office of the Director of National Intelligence are not sufficiently precise to exclude massive and indiscriminate collection of personal data from the EU; and
  • lack of independence: the Working Party is concerned that the new Ombudsperson set up to review US intelligence activities relating to personal data from the EU is not sufficiently independent and not vested with adequate powers to exercise its duty.

While non-binding, the opinions from the Working Party are important and are usually taken into consideration by the EU Commission. Should the Working Party recommend that the EU Commission revise and renegotiate the Privacy Shield, companies dependent on data flows between the EU and the U.S. will again be in limbo as to the legality of their activities.

If you are conducting transatlantic data transfers, you can read about alternative solutions for transatlantic data transfers in our previous post on US–EU Safe Harbor.