By Gail Crawford and Mark Sun

The Article 29 Working Party (WP29), an independent European advisory body on data protection and privacy released the results of their first review of the EU-US Privacy Shield on Wednesday (6 December 2017). The WP29 has identified several “significant concerns” with the EU-US Privacy Shield (Privacy Shield) programme, as currently operated. Though the WP29 acknowledges that Privacy Shield is an improvement over the Safe Harbor arrangement, the body has called for the European Commission (EC) and the US authorities to restart discussions on an action plan to address these concerns immediately. The review was conducted jointly between WP29 and US authorities, with feedback from US companies.

Unresolved issues identified by the WP29 include:

  • Lack of guidance and clear information for companies participating in Privacy Shield (particularly on the principles of the Privacy Shield, on onward transfers of personal data, and on available rights, recourse, and remedies for data subjects) which makes it difficult for self-certifying participants to correctly interpret their obligations, or for EU individuals to exercise their rights.
  • The US authorities define “HR data” too narrowly and, therefore, do not adequately protect “HR data” (e.g., if employee data is transferred to a US-based Privacy Shield-certified data processor for processing, the US Department of Commerce considers this data as commercial data, not HR data).
  • Insufficient oversight and supervision by the US authorities of compliance (no reviews or proactive monitoring for verification or fraud have been conducted by the US authorities to date).
  • An inconsistent approach to onward transfers of personal data from an EU processor to a US processor (whereby US authorities consider such transfer to be for commercial purposes, and, therefore, consider the processing by the US processor to be beyond EU data protection authorities’ scope of regulation).
  • Lack of rules concerning automated decision making (a concern prompted by the non-specific nature of the feedback received from US companies).
  • Insufficient evidence that US intelligence activities (i.e., PRISM, UPSTREAM) are “as tailored as feasible” (i.e. such that requests for data are precise, subject to criteria such as “reasonable suspicion”, and subject to independent scrutiny, etc.).
  • Concern that a lack of appointments to vacant positions on the Privacy and Civil Liberties Oversight Board (PCLOB) hampers the PCLOB’s oversight function of US surveillance/intelligence activities.
  • Insufficient access to redress or remedy for an EU individual as a data subject, including in surveillance matters.

The WP29 has stated its intent to engage with US authorities to address these concerns, but has called for the appointment of an independent Ombudsman and PCLOB members, as well as an explanation of the rules of procedure (between the Ombudsman mechanism and the intelligence community) before 25 May 2018.

The WP29 has indicated that the remaining concerns must be resolved before the second joint Privacy Shield review, otherwise WP29 will bring claims regarding the Privacy Shield Adequacy decision before EU national courts.

With the Standard Contractual Clauses being challenged before the Court of Justice of the European Union, following the referral of Schrems II by the Irish courts, there continues to be uncertainty over the legal basis of the EU data export regime.