The WP29 Raises Concerns About the Privacy Shield

The Article 29 Working Party (WP29), which participated in the first joint annual review of the Privacy Shield last September, has now released its findings in a report available on its website.

This report follows the one published by the EU Commission last October, which concluded that the Privacy Shield remained valid, despite room for improvement on several aspects. The overall findings of the WP29 are, however, not as favorable as those of the EU Commission.

Indeed, while the WP29 acknowledges that the Privacy Shield constitutes progress in comparison to the Safe Harbor, it also identified in this report several unresolved issues in the way the Privacy Shield currently operates. Further, insisting on the significant nature of its concerns, the WP29 expressly stated that if no remedy were found by 25 May 2018 for its main concerns, or by the second joint annual review for the others, it will take appropriate action against the Privacy Shield, including by challenging it before the CJEU via a preliminary ruling.

What Does the WP29 Want?

In substance, the WP29 is asking – on the commercial aspects of the Privacy Shield – for:

  • more guidance and information from the US authorities, both for US companies to help them understand how to implement the Privacy Shield Principles in practice, and for EU individuals to help them be more aware of their rights and available recourses and remedies
  • a renegotiation of the scope of HR data (triggering additional safeguards), which currently only covers employee data transferred within the same company, not to US processors. For the WP29, the additional safeguards for HR data should apply to all employee data transferred to the US, regardless of the identity of the recipient.
  • the US authorities to adopt specific rules for US processors. The Privacy Shield mechanism currently applies the same way to all US companies, regardless of whether they are controllers or processors. For the WP29, this is a significant issue since some Privacy Shield rules are simply not suitable for processors and may even contradict their obligations under their processing agreements with EU controllers.
  • the EU Commission to consider the possible need for special rules on automated decision-making as, according to the WP29, the US rules on this matter seem rather limited.
  • improvements to the self-certification process, including by ensuring that company do not publicize their Privacy Shield certification until it becomes active, and conducting investigations into potential false claims of certification.
  • a reinforcement of US oversight and supervision of the self-certified companies to better monitor their compliance with the Privacy Shield Principles.

Regarding the surveillance aspects of the Privacy Shield, the WP29 is, in substance, asking the US authorities to:

  • confirm and provide evidence that it does not engage in bulk and indiscriminate collection of data under section 702 and EO 12333, and complies with the commitment made in the PPD28.
  • appoint the remaining members of the PCLOB to ensure that this organism operates as a fully functioning oversight mechanism for surveillance programs.
  • appoint the Ombudsperson in charge of receiving complaints from EU individuals against US surveillance authorities.
  • provide information on the scope of the Ombudsperson’s powers towards intelligence authorities. The WP29 currently doubts that its powers to remedy non-compliance by these authorities are sufficient to guarantee individuals a right to an effective remedy before a tribunal (as required by the Charter of fundamental rights).

The WP29 also expressed concerns about the fact that, under US law, EU individuals may not be able to challenge a surveillance measure in court because of too strict procedural requirements (the “standing requirement,”) and may not have any effective remedies available to them when law enforcement authorities access their data held by a US company.

This report does not come as good news for EU companies that currently rely on the Privacy Shield for their EU-US data transfers. With the GDPR coming into effect in six months, EU companies are working hard to bring their privacy programs into compliance and the stability of the mechanisms available to them, including mechanisms for data transfers, is essential for their success. The risk of having DPAs bringing a case against the Privacy Shield before the CJEU brings uncertainty in an area where companies are asking for stability.

How OneTrust Helps

OneTrust enables privacy professionals to prepare for compliance with upcoming privacy regulations and certifications through proactive self-assessments. Free templates are available for the EU General Data Protection Regulation (GDPR), Privacy Shield, BCR (controllers and processors), and APEC CBPR, as part of the OneTrust privacy management platform. Privacy professionals can use OneTrust to benchmark their organizational readiness, prioritize requirements for compliance and provide executive-level visibility.