The Dynamics Between the Article 29 Working Party and the EU-U.S. Privacy Shield

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

EU-U.S.Privacy Shield

The U.S. Department of Commerce began accepting applications Aug. 1 from U.S. organizations to self-certify under the EU-U.S. Privacy Shield. The EU and U.S. need to continue to work together to strengthen and improve this transfer mechanism until its future is certain and beyond doubt as much as any framework can be, the authors write.

Lorna Cropper Alexander de Gaye

By Lorna Cropper and Alexander de Gaye

Lorna Cropper, LL.M., CIPP/E is a senior associate at Fieldfisher in London and is a member of the Privacy & Information group.

Alexander de Gaye is a trainee solicitor at Fieldfisher in London.

Beginning Aug. 1 the U.S. Department of Commerce began accepting applications from U.S. organizations to self-certify under the EU-U.S. Privacy Shield. For organizations that transfer personal data from the EU to the U.S. the Privacy Shield will need no introduction. The Privacy Shield provides the adequate level of protection for such data transfers as required under the EU's legal Data Protection framework. As a replacement for the Safe Harbor regime, invalidated by the Court of Justice of the European Union (CJEU) in its judgment in the Schrems case Oct. 15, 2015 (14 PVLR 1825, 10/12/15), the journey of the Privacy Shield from initial negotiations between the EU and U.S. to its published draft and final adoption has faced much scrutiny from EU watchdogs including the Article 29 Working Party (WP29) .

On July 26, 2016, two weeks after the European Commission (the Commission) launched the adopted Privacy Shield, the WP29 issued a press release about its thoughts on the transfer mechanism. This communication was subsequent to the WP29's Opinion WP238 on the Privacy Shield draft adequacy decision that was published April 13 and raised a number of concerns with the Privacy Shield proposal. While the opinions of the WP29 are non-binding they can be extremely influential.

The WP29's press release acknowledges the improvements which have been made to the Privacy Shield since the publication of Opinion WP238 and the Privacy Shield's final adoption together with the collaborative efforts of the Commission and U.S. authorities. Despite this positive start, the press release continues to state in bold lettering that “a number of these concerns remain.” Without further ado the WP29 expresses its concerns without any additional reflection on what has improved and any benefit that these improvements may bring to the Privacy Shield.

In this article we consider the remaining issues the Privacy Shield presents for the WP29 and how the WP29's position differs from that in its Opinion WP238 before analyzing the impact the WP29's view may have on the take up of the Privacy Shield and how the WP29 will engage with the Privacy Shield. It is also interesting to consider whether the concerns the WP29 continues to raise are actually valid.

The Privacy Shield Criticisms

The WP29's initial concern is that there continues to be a “lack of specific rules on automated decisions and of a general right to object.” Recital 25 of the adequacy decision acknowledges that due to the nature of the transfers between the EU and the U.S. there will be a “limited number of cases” which will involve automated processing by a Privacy Shield organization. Nonetheless, there is an acceptance that in today's “modern digital economy” this is an area that demands close monitoring and thus the EU and U.S. have agreed that this subject will form part of the first annual review of the Privacy Shield as well as subsequent reviews as and when relevant. Arguably this is a fringe issue that is already on the review agenda in case automated decision making using the transferred data becomes more prevalent.

The WP29's press release reiterates its concerns about the independence and the powers of the ombudsperson despite amendments to this mechanism by the U.S. Secretary of State John Kerry. Kerry emphasizes the important reforms that the U.S. has made in this area, including the Presidential Policy Directive 28 (PPD-28), which are designed to limit the amount of signals intelligence that is collected and processed.

Despite the above mentioned reforms within the U.S. legal framework post-Snowden, the WP29 drew particular attention in its Opinion WP328 to the bulk data collection undertaken by the U.S. which the WP29 stated, “can never be considered as proportionate and strictly necessary in a democratic society.” Prior to being adopted, the adequacy decision was amended to reflect that the Office of the Director of National Intelligence (ODNI) will “target” bulk collection and apply “filters and other technical tools” to ensure the level of “non-pertinent information” collected is minimised. Such assurances have not however placated the WP29 that “notes the commitment of ODNI … nevertheless, it regrets the lack of concrete assurances that such practice does not take place.”

Interestingly the WP29's Opinion WP238 mentioned that the WP29 would continue to observe the forthcoming judgments of the CJEU in respect of cases regarding massive and indiscriminate data collection. Some two weeks ago the CJEU advocate general issued his non-binding opinion on this matter which concluded that data retention may be compatible with EU law if there are strict safeguards in place and the purpose of the retention is to fight the most serious crime.

The Privacy Shield for Data Processors

The WP29's press release highlights the continued lack of clarity about how the Privacy Shield will apply to processors which was equally raised in its Opinion WP238. Given the regularity with which processors and sub-processors are engaged by controllers, it is unfortunate that the application of the Privacy Shield to processors is not explicitly stated. Nonetheless, organizations that self-certify within two months of applications being accepted, i.e., by Sept. 30, will receive a nine months' grace period from the date they self-certify to ensure that their existing commercial relationships comply with the Privacy Shield rules in relation to the Accountability for Onward Transfer Principle (Transfer Principle). The requirements of the Transfer Principle demand that Privacy Shield organizations transferring personal data to a third party agent i.e., a processor, ensure that the processor, amongst other things provides “at least the same level of privacy protection as is required by the Principles.” Annex II, Sec. II (3)(b).

In practice, how will an agent demonstrate that it provides “at least the same level of privacy protection as is required by the Principles?” Furthermore, what does this phrase actually mean? The Privacy Shield does not provide a precise definition of what this means nor is there any working example to explain how a processor that is not self-certified would exhibit its level of privacy protection.

Taken literally the processor and/or sub-processor who does not self-certify will need to commit to the Principles including the Supplemental Principles as provided for at Annex II to demonstrate the level of privacy protection they offer. For example, they will need to adhere to Principles such as Notice, the Transfer Principle and Security together with the Supplemental Principles, which outline an organization's obligation to matters including Sensitive Data, Journalistic Exceptions and Secondary Liability.

While guidance is awaited as to whether EU Standard Contractual Clauses (aka Model Clauses) can be used to verify a processor/sub-processors' level of privacy protection, self-certifying organizations in the meantime will need to ensure that they perform appropriate due diligence of their agents' procedures and include a clause in their contracts that the agent does have “the same level of privacy protection as is required by the Principles.”

The WP29 in its Opinion 238 was somewhat baffled that the EU data protection authorities (DPAs) had not been integrated into the redress mechanism for data subjects. The WP29 volunteered the services of DPAs for this role given that they are “a natural contact point” for data subjects. Further to the WP29's Opinion 238, the adopted Privacy Shield now provides that organizations upon self-certifying can voluntarily commit to cooperate with the DPAs when choosing an independent recourse mechanism—although such cooperation is however mandatory for organizations processing human resources data. In addition, individuals can bring a complaint directly to a DPA. This shift in the DPAs' ability to assist data subjects exercising their rights under the Privacy Shield produced a commitment from the WP29 to “proactively and independently” help data subjects “in particular when dealing with complaints.”

Data Agencies Seek Continuing Influence

In comparison to its Opinion 238 the WP29's press statement is somewhat moderate in the concerns it raises. Bulk surveillance in the U.S. is problematic for all adequacy decision data transfer mechanisms including Standard Contractual Clauses and Binding Corporate Rules and thus the Commission will “continuously monitor the overall framework … as well as compliance by U.S. authorities with the representations and commitments” they have provided. The Privacy Shield's first real test will most likely come during its first annual review which the WP29 refers to in its press release as a “key moment.” The annual review will provide an opportunity for “the national representatives of the WP29 to not only assess if the remaining issues have been resolved but also if the safeguards provided under the EU-US Privacy Shield are workable and effective.” The WP29's press release also highlights how the first annual review “may also impact transfer tools such as Binding Corporate Rules and Standard Contractual Clauses.”

It is apparent from the WP29's Opinion 238 and press release that some DPAs want to have a pivotal role in the monitoring of the Privacy Shield and the WP29 in its press release calls for the competence of the DPAs' involvement in the annual review to be clearly defined. Yet all is not completely harmonious amongst all DPAs and when the Article 31 Working Party voted on the adequacy decision, four Member States abstained from the vote, reported to be Austria, Croatia, Slovenia and Bulgaria. Thus despite the EU adoption of the Privacy Shield, its existence and longevity are by no means guaranteed. The Privacy Shield will inevitability be legally challenged by a civil liberties group and even by a DPA.

Will U.S. Organizations Certify?

Thus with all adequacy decisions under the spotlight, U.S. organizations receiving data from the EU will have to consider which mechanism is the most suitable for them. With applications for Binding Corporate Rules taking more than 12 months to complete organizations are left with a choice of the tried and tested Model Clauses mechanisms or the new mechanism in town, the Privacy Shield. For those organizations with the choice between Model Clauses and the Privacy Shield in the short to mid term there is probably no need to rush to become self-certified especially if a considerable amount of resources were incurred transitioning from Safe Harbor to Model Clauses not so long ago.

However, what about those U.S. organizations that only have the option of the Privacy Shield, i.e., an organization that collects data from the EU but only operates in the U.S.? For such organizations the Privacy Shield provides a suitable solution for EU-U.S. data transfers. In today's global digital economy it is inconceivable that there would not be a workable solution for EU-U.S. data transfers and thus the EU and U.S. need to continue to work together to strengthen and improve this transfer mechanism until its future is certain and beyond doubt as much as any framework can be.

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security