By Daniel L. Farris
A group of European data protection authorities, known as the Article 29 Working Party, is refusing to support the proposed transatlantic data transfer deal known as the “Privacy Shield.” In a highly anticipated opinion issued Wednesday – which does not bode well for US companies anxiously awaiting guidance after the invalidation of Safe Harbor last year – the Working Party criticized the Privacy Shield for its failure to provide protection for EU citizens’ data against US government surveillance programs.
In February, the European Commission and US Department of Commerce announced a new deal to replace the Safe Harbor mechanism for transferring personal data from Europe to the United States. While acknowledging that the Privacy Shield was an improvement that would impose new and heightened obligations on US companies to protect Europeans’ privacy, the Working Party expressed numerous concerns over the ways transferred data may be used for commercial or national security purposes.
The Working Party’s Concerns
French data protection regulator and Working Party chair, Isabelle Falque-Pierrotin, expressed the Working Party’s general view that “some key data protection principles as outlined in European law are not really reflected in the [proposed Privacy Shield] or have been inadequately substituted by alternative notions.” With regard to US commercial operations, the Working Party noted the absence of data retention and deletion standards that would require companies to delete data that became irrelevant or was no longer necessary to the purpose for which it was collected. Without such standards, EU regulators are concerned about the reuse or repurposing of data for broad purposes, as is not uncommon in the United States.
The Working Party has also expressed doubt about the limits to onward transfer (the process of transmitting European data received in the US on to a third country, particularly those with lower privacy and data security standards). The onward transfer element has been particularly tricky for US companies to navigate, even under the old Safe Harbor mechanism, as even access to data on US servers from a remote location could be deemed a violation of the prohibition against onward transfer.
Nor was the Working Party pleased with proposed changes to administrative mechanisms proposed in the Privacy Shield. The redress mechanism, for example, which was crafted in response to criticisms that Europeans have no judicial means of redress for misuse of their data, was not well-received, with EU regulators preferring European citizens to have rights in European DPAs. The Working Party similarly decried the creation of an ombudsman at the US Department of State to handle national security complaints, complaining that this individual would have enough independence to stop the “massive and indiscriminate” bulk collection of data by US surveillance agencies.
“We believe that we don’t have enough security guarantees in the status of the ombudperson and in the effective powers of this ombudsperson in order to be sure that this is really an independent authority,” Falque-Pierrotin said at a press release accompanying the opinion.
Finally, the Working Party pressed US-EC negotiators, once again, to insert a “revision” clause into the Privacy Shield that would allow the Working Party an opportunity to reexamine the deal in two years when the General Data Protection Regulation is slated to take effect. The GDPR, which has recently been finalized in principle, is intended to unify and further strengthen EU privacy and data security laws.
Although the Working Party’s opinion is not binding on the European Commission, it will be influential. European Union member states must next vote to approve or reject the Privacy Shield, which, even if approved, will not go into effect until the European Commission affirms the adequacy of the deal in light of the Court of Justice’s Schrems opinion. In other words, if the EC and US do not take the opinion of the Working Party seriously, and take steps to address the concerns expressed in the Working Party’s opinion, the Privacy Shield is more likely to be challenged in European courts.
Not surprisingly, word of the Working Party’s opinion has not been well-received by business leaders in the US or Europe. Many business groups have supported the Privacy Shield, arguing that it does rise to the Court of Justice’s standard that a transatlantic data transfer deal must provide an "essentially equivalent" level of protection for personal data transferred from the EU to the US. A number of multinational businesses are pushing for final approval of the Privacy Shield agreement.
Ultimately, many US companies find themselves operating with continued regulatory uncertainty that makes meaningful compliance all but impossible. As the Privacy Shield debate continues, and some European member state DPAs grow impatient, the risk of liability or new regulatory enforcement campaigns is growing for US companies.
For assistance in understanding how the Working Party opinion, Privacy Shield, or GDPR may affect your company, auditing privacy and data security compliance programs, drafting model agreements, or preparing Binding Corporate Rules, please contact the author or a Polsinelli Privacy and Data Security team member.