EU Privacy Chiefs Spotlight U.S. Moves for Data Transfer Review

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

European Union officials must scrutinize U.S. government data policies closely when they visit the U.S. in September to review the EU-U.S. Privacy Shield data transfer program, EU privacy chiefs said June 13.

An EU delegation led by the European Commission, the EU’s executive arm, will travel to the U.S. the week of Sept. 18 as part of the first annual review of the Privacy Shield, the Article 29 Working Party of data privacy officials from the 28 EU countries said in a statement. Besides meeting with U.S. officials, the delegation should also meet privacy advocacy groups, the Working Party said. Eight representatives from the privacy regulators group will be part of the delegation.

The Privacy Shield allows U.S. companies to legally transfer personal data from the EU to the U.S. if they self-certify to the U.S. Department of Commerce their compliance with EU-approved privacy principles. More than 2,100 companies have self-certified, including Alphabet Inc.'s Google and Facebook Inc., to what is considered a crucial mechanism for trans-Atlantic data flows.

Some EU lawmakers and regulators have expressed skepticism about U.S. privacy commitments after a Trump administration executive order that appeared to restrict access to privacy redress mechanisms and the repeal of internet service provider privacy rules earlier this year.

The Art. 29 Working Party said it has sent a letter to the European Commission reiterating its concerns about U.S. government access to data transferred to U.S. companies under the Privacy Shield.

Other priorities include whether Commerce has issued guidance on the application of the Privacy Shield to U.S.-based companies that process data, and what progress has been made on nominating officials to privacy-related roles and bodies in the U.S., the group said.

Commission spokesman Christian Wigand told Bloomberg BNA June 13 that following the Privacy Shield review, the commission will submit a report to the European Parliament and EU countries. The commission hasn’t set a date for the release of the report.

Jorg Hladjk, privacy and data protection of counsel at Jones Day in Brussels, told Bloomberg BNA June 13 that a clear deadline for the commission report would be helpful because companies want legal certainty.

Bulk Data Collection

The Art. 29 Working Party said the Privacy Shield review should look at the existence in the U.S. of “legal guarantees regarding automated decision making,” and that U.S. authorities should provide the EU delegation with “precise evidence” that any bulk collection of data for national security purposes is proportionate and limited to the minimum necessary.

The Privacy Shield is a replacement for the U.S.-EU Safe Harbor program, which was invalidated by the EU’s highest court over concerns that data transferred to the U.S. wasn’t adequately protected from government surveillance. EU officials have said that the main aim of the Privacy Shield review will be to assess if the U.S. government is complying with new surveillance safeguards.

Hladjk said that U.S. law enforcement access to data and related redress mechanisms for individuals concerned about the misuse of their personal data would be “hot topics of the review.”

To contact the reporter on this story: Stephen Gardner in Brussels at

To contact the editor responsible for this story: Donald G. Aplin at

For More Information

The Art. 29 Working Party statement on the EU-U.S. Privacy Shield review is available at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security