The WP29 Raises Concerns About the Privacy Shield

The Article 29 Working Party (WP29), which participated in the first joint annual review of the Privacy Shield last September, has now released its findings in a report available on its website.

This report follows the one published by the EU Commission last October, which concluded that the Privacy Shield remained valid, despite room for improvement on several aspects. The overall findings of the WP29 are, however, not as favorable as those of the EU Commission.

Indeed, while the WP29 acknowledges that the Privacy Shield constitutes progress in comparison to the Safe Harbor, it also identified in this report several unresolved issues in the way the Privacy Shield currently operates. Further, insisting on the significant nature of its concerns, the WP29 expressly stated that if no remedy were found by 25 May 2018 for its main concerns, or by the second joint annual review for the others, it will take appropriate action against the Privacy Shield, including by challenging it before the CJEU via a preliminary ruling.

What Does the WP29 Want?

In substance, the WP29 is asking – on the commercial aspects of the Privacy Shield – for:

Regarding the surveillance aspects of the Privacy Shield, the WP29 is, in substance, asking the US authorities to:

The WP29 also expressed concerns about the fact that, under US law, EU individuals may not be able to challenge a surveillance measure in court because of too strict procedural requirements (the “standing requirement,”) and may not have any effective remedies available to them when law enforcement authorities access their data held by a US company.

This report does not come as good news for EU companies that currently rely on the Privacy Shield for their EU-US data transfers. With the GDPR coming into effect in six months, EU companies are working hard to bring their privacy programs into compliance and the stability of the mechanisms available to them, including mechanisms for data transfers, is essential for their success. The risk of having DPAs bringing a case against the Privacy Shield before the CJEU brings uncertainty in an area where companies are asking for stability.

How OneTrust Helps

OneTrust enables privacy professionals to prepare for compliance with upcoming privacy regulations and certifications through proactive self-assessments. Free templates are available for the EU General Data Protection Regulation (GDPR), Privacy Shield, BCR (controllers and processors), and APEC CBPR, as part of the OneTrust privacy management platform. Privacy professionals can use OneTrust to benchmark their organizational readiness, prioritize requirements for compliance and provide executive-level visibility.