European Union data protection authorities indicated in a recent statement that they will hold off for at least one year any new challenges to the EU-U.S. Privacy Shield.
As Compliance Week reported, the European Commission on July 12 adopted a final version of the EU-U.S. Privacy Shield, keeping intact all the main data protection requirements concerning companies that were set out in the proposed framework issued in February. In its original opinion on the draft EU-U.S. Privacy Shield issued in April, the Article 29 Working Party (WP29), which acts as a policy-setting body for all EU data protection agencies, expressed concern and asked for various clarifications. In its latest statement, the WP29 said that a “number of these concerns remain regarding both the commercial aspects and the access by U.S. public authorities to data transferred from the EU.”
One of the group’s biggest concerns, for example, has to do with access by public authorities to data transferred to the United States under the Privacy Shield. “The WP29 would have expected stricter guarantees concerning the independence and the powers of the ombudsperson mechanism.”
“Regarding bulk collection of personal data, the WP29 notes the commitment of the Office of the Director of National Intelligence not to conduct mass and indiscriminate collection of personal data. Nevertheless, it regrets the lack of concrete assurances that such practice does not take place.”
Moving forward, the WP29 noted that the first joint annual review will be “a key moment for the robustness and efficiency of the Privacy Shield mechanism to be further assessed. In this regard, the competence of DPAs in the course of the joint review should be clearly defined.”
“When participating in the review, the national representatives of the WP29 will not only assess if the remaining issues have been solved but also if the safeguards provided under the EU-U.S. Privacy Shield are workable and effective,” the WP29 stated. “The results of the first joint review regarding access by U.S. public authorities to data transferred under the Privacy Shield may also impact transfer tools such as Binding Corporate Rules and Standard Contractual Clauses.”
Even if the WP29 does not challenge the Privacy Shield for at least one year, however, that is not to say that its provisions will not face any legal challenges prior to that time. “A more modest—and realistic—interpretation of the WP29 opinion would be that the DPAs themselves won’t seek to scupper Privacy Shield during its first year,” Susan Foster, a member at law firm Mintz Levin. “Instead, they will leave that to individuals who remain skeptical of the EU-US privacy deal.”
Continue the conversation at Compliance Week Europe: 7-8 November at the Crowne Plaza Brussels. Join us as we look at changes in global anti-corruption regulations, slave labour risks in your supply chain, and how to detect fraud, to name just a few topics. Learn more