Global menu

Our global pages

Close

EU Data Protection Regulators Express Dissatisfaction with Privacy Shield

  • Ireland
  • General

07-12-2017

The EU – US Privacy Shield (the “Privacy Shield”) is a cross-Atlantic agreement that allows data to be transferred from the European Union to the United States.  The mechanism was developed when the previous regime, the Safe Harbour Framework, was deemed by the European Court of Justice in 2015 to provide inadequate protection to EU citizens.  On 12 July 2016, the European Commission approved the Privacy Shield, the aim of which is to provide stronger protection for the personal data of EU citizens when that data are exported to the US.

The Safe Harbour Framework had been relied upon by many international organisations (including Google, Facebook and Microsoft) in the course of their day-to-day business.  The Privacy Shield has now been in operation for over a year, and recent comments from EU Regulators on the first joint review show that there are still some major concerns around the practical operation of the agreement.

Eight members of the Article 29 Data Protection Working Party (“WP29”) were part of a group who conducted the first review of the Privacy Shield between 18 and 19 November 2017 in Washington DC.  WP29 looked at the level of protection afforded to EU individuals when their data are transferred to the US under the Privacy Shield framework, focusing particularly on two main areas; the commercial aspects of the Privacy Shield and US government access to personal data transferred from the EU. 

Commercial Aspects

WP29 acknowledged the efforts that had been made to set up a comprehensive procedural framework to support the operation of the Privacy Shield and also the strengthening of checks to be performed before organisations could be certified to be compliant. 

Although the US Department of Commerce issued guidance for businesses aiming to self-certify under the Privacy Shield and there are a number of “FAQs” on the website, WP29 felt that there was still insufficient guidance and information on core aspects of the Privacy Shield.  WP29 particularly singled out onward transfers, the Choice Principle (how and when a data subject can opt out of the processing of their data for a new purpose) and rights of access to personal data as areas that could benefit from clearer information and practical guidance.

WP29 also felt that there was insufficient information and guidance for EU individuals, with the regulator noting that the recourse procedures under the Privacy Shield (where individuals wished to make a complaint against a company processing their data) were too complex to be used effectively.  WP29 recommended that more information should be provided and that the information should be accessible and easily understandable.

WP29 also pointed out that there seems to be confusion in relation to what exactly constitutes “HR data”.  WP29 take a broad view and define HR data as any personal data concerning an employee in the context of an employer-employee relationship.  The Privacy Shield’s interpretation is much narrower, in that only the processing of data of employees within the same company falls within the definition. 
 
The lack of oversight and supervision, particularly where the Privacy Shield system relies on self-certification, was another serious concern of WP29.  Potential solutions to this problem could include routine monitoring to detect false claims of participation in the Privacy Shield and the use of compliance questionnaires with companies who have self-certified.

Related to this concern was the question of whether companies processed data transferred under the Privacy Shield through automated decision making systems.  Although the information gathered during the joint review indicated that this was not the case and that specific rules exist under US Law in certain fields, the feedback from companies was very general and WP29 recommended that specific rules be introduced around automated decision making and profiling.

Access by Public Authorities

The second part of WP29’s opinion on the first joint review focused on the steps that had been taken by the US government to date to increase transparency around the use of surveillance powers, which is naturally a worrying topic for EU citizens. 

Of particular concern to WP29 was the collection of and access to personal data for national security purposes under two pieces of legislation; section 702 of the Foreign Intelligence Surveillance Act of 1978 and Executive Order 12333.  WP29 called for further evidence of legally binding commitments that the collection of data is not indiscriminate and that access us not on a generalised basis.  The EU regulator also recommended that precise targeting should be used to determine whether an individual or group should be a target of surveillance. 

WP29 noted that there are a host of vacancies on the Privacy and Civil Liberties Oversight Board (the “PCLOB”), which is the independent agency tasked with reviewing and analysing actions taken by the executive branch to tackle terrorism.  At present, Elisebeth Collins is the only current member of the PCLOB, with the other four positions lying vacant.  These vacancies should be filled immediately to ensure effective control and monitoring of the Privacy Shield.  A permanent Privacy Shield Ombudsperson should also be appointed as soon as possible and their exact powers clarified.

WP29 underlined the seriousness of its concerns around access to data for law enforcement purposes and the remedies available to EU individuals in these circumstances.

Conclusion

WP29 concluded by calling for discussions to be restarted and an action plan to be set up immediately to address all of these concerns.  In the event that the concerns are not addressed by 25 May 2018 (in the case of “prioritised concerns”) or the date of the second joint review (in the case of the remaining concerns) the members of WP29 have stated that they will take “appropriate action”, up to and including bringing the Privacy Shield adequacy decision to national courts for them to make a reference for Preliminary Ruling to the CJEU.

Disclaimer

This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full terms and conditions on our website.

< Go back

Print Friendly and PDF
Register to receive regular updates via email.