A draft transatlantic data transfer framework approved in February by the European Commission and the U.S. Department of Commerce received a less-than-enthusiastic response from EU data protection authorities today, effectively giving U.S. companies little assurance as to how they can legally transfer personal data from Europe into the United States.  

As Compliance Week previously reported, the EU-U.S. Privacy Shield will replace the Safe Harbor Framework, which was invalidated by the European Court of Justice in October 2015 in the case Schrems v. Data Protection Commissioner. The decision effectively meant that personal data transferred from Europe to the United States was no longer presumed to be adequately protected, leaving the nearly 4,500 companies that self-certified under the Safe Harbor principles in a state of limbo.

During a press conference today, Isabelle Falque-Pierrotin, chair of the Article 29 Working Party, while acknowledging “major improvements” of the Privacy Shield compared to the Safe Harbor decision, added that “we believe there is still work to do.” The Working Party’s assessment, while not legally binding, carries significant weight, particularly as it concerns any legal challenges to the agreement.

Falque-Pierrotin specifically cited two main concerns that the Article 29 Working Party has about the Privacy Shield. The first concerns the potential for European citizens’ data to be collected in bulk and at a massive scale by U.S. intelligence agencies for public security reasons.

The second main concern is the independence and effectiveness of the powers of the ombudsperson. “We believe we don’t have enough security guarantees in the stages of the ombudsperson and in the effective powers of this ombudsperson in order to be sure that this is really an independent authority,” Falque-Pierrotin said.

Concerning the commercial aspects, the Working Part said it “first of all considers that some key data protection principles as outlined in European law are not reflected in the draft adequacy decision and the annexes, or have been inadequately substituted by alternative notions. In particular, the application of the purpose limitation principle to the data processing is unclear.”

“The Working Party is also concerned that the data retention principle is not expressly mentioned and cannot be clearly construed from the current wording of the text. Furthermore, there is no specific wording on the protection that should be afforded against automated individual decisions based solely on automated processing,” the opinion stated.

“Because the Privacy Shield will also be used to transfer data outside the United States, the Working Party said it “insists that onward transfers from a Privacy Shield entity to third country recipients should provide the same level of protection on all aspects of the Shield (including national security) and should not lead to lower or circumvent EU data protection principles.”

Furthermore, although the avenues of recourse have been “improved,” Falque-Pierrotin said, the overall system is “a bit too complex” with “too many avenues,” make it difficult for EU citizens to use. “The [data protection authority] should be natural point of contact for EU individuals in the various procedures,” she said.

Falque-Pierrotin added that the Privacy Shield should be able to be revised, taking into account the EU’s General Data Protection Regulation (GDPR). Designed to bring EU data protection laws into the digital age, the GDPR will replace the current EU Data Protection Directive, enacted in 1995, marking the most sweeping changes to EU data privacy legislation in the last 20 years.

The Privacy Shield is built under the current Directive. “Within two years, we’re going to have a more demanding framework in terms of protection,” Falque-Pierrotin said. When GDPR is fully in practice, the Privacy Shield should be reviewed to take into account the new standards included in the regulation, she said.

The Article 29 Working Party now waits for the Commission to give its final word: “We urge the Commission to resolve these concerns to identify the appropriate solutions and to provide the requested clarifications,” Falque-Pierrotin said.

Industry response

In response to the opinion issued today, the Information Technology and Innovation Foundation (ITIF), a technology policy think tank, said it was disappointed that the Article 29 Working Party has not affirmed the adequacy of the EU-US Privacy Shield Framework.

“The new agreement offers a host of new protections, obligations, and opportunities for redress that affirm the commitment of the U.S. government to safeguard European data and respect the rights of European citizens, ITIF Vice President Daniel Castro said in a statement. “Moreover, the agreement has achieved widespread support on both sides of the Atlantic from many policymakers, businesses, and advocacy groups for offering an opportunity to move forward after the European Court of Justice invalidated the Safe Harbor agreement in the Schrems decision.”

“While members of the Article 29 Working Party should continue to offer suggestions on how to strengthen this agreement—and there are opportunities for improvement—the opportunity for improvement should not preclude official approval of the agreement,” Castro added. “A prolonged climate of regulatory uncertainty places unnecessary strain on the digital economy, hurting businesses, workers, and consumers.”

Many opportunities will arise to build onto the initial Privacy Shield Framework, as all parties involved have already agreed to meet at least annually to discuss how to further improve the functioning, implementation, supervision, and enforcement of the framework, Castro noted. “Given the crucial importance of transatlantic data flows to the global digital economy, the national data protection authorities should not try to hold the digital economy hostage to extract further tweaks to the agreement,” he said. “We urge the European Commission to affirm the adequacy of the Privacy Shield Framework.”

Continue the conversation at Compliance Week Europe: 7-8 November at the Crowne Plaza Brussels. Join us as we look at changes in global anti-corruption regulations, slave labour risks in your supply chain, and how to detect fraud, to name just a few topics. Learn more