Regulators Demand Stronger EU-U.S. Data Transfer Program Privacy

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

The EU-U.S. Privacy Shield data transfer program may face legal action by European Union regulators if the European Commission doesn’t work with U.S. officials to tighten the program’s privacy safeguards, a group of EU privacy officials announced today.

The Article 29 Working Party of EU privacy regulators from the 28 EU countries issued a report on the first annual review of the program and gave the commission, the EU’s executive arm, until the May 25 effective date of the EU’s new privacy regime to improve the Privacy Shield program. If the shortcomings aren’t addressed, the group said it would “take appropriate action, including bringing the Privacy Shield adequacy decision to national courts.”

The national courts could be asked to refer the Privacy Shield privacy adequacy issue to the EU Court of Justice, which invalidated the Privacy Shield’s predecessor, the U.S.-EU Safe Harbor data transfer plan, in October 2015.

Some EU officials and lawmakers have expressed continuing concerns that the program doesn’t adequately protect EU citizen data from U.S. government surveillance after the information is sent to U.S. companies.

Although the Privacy Shield represents “progress” compared to the Safe Harbor, the working party said it still has “significant concerns” about the framework, in particular its oversight arrangements in relation to U.S. government access for national security purposes for personal data of EU citizens transferred to the U.S.

“This is a very strong statement by the data protection authorities,” Jorg Hladjk, of counsel with Jones Day in Brussels, told Bloomberg Law. “It shows they won’t let this go easily.”

The Privacy Shield program is relied on by over 2,500 U.S. companies, including Raytheon Corp. and Oracle America Inc., that self-certify to the U.S. Commerce Department that they will abide by EU-approved privacy principles. Tens of thousands of EU companies rely on the program to send personal data of EU citizens to those U.S. companies. Eliminating the program would make it more difficult for U.S. companies to easily transfer personal data from the EU.The report included a series of critiques and recommendations for how the Privacy Shield program should be strengthened before the EU General Data Protection Regulation takes effect , including:

  •  issuing improved guidance and information on privacy principles such as onward transfers of data and remedies for aggrieved individuals;
  •  implementing stronger compliance oversight, including continuous monitoring of participating companies;
  •  requiring more evidence or legally-binding commitments to demonstrate that U.S. intelligence data collection isn’t indiscriminate and access isn’t generalized;
  •  mandating that the U.S. Privacy and Civil Liberties Oversight Board report on the necessity and proportionality of the definition of U.S. intelligence individual targets; and
  •  improving the rules on handling human relations data, profiling, and automated decision making.
The European Commission’s first review of Privacy Shield, which was published in October, found that the framework was largely in compliance with privacy requirement but could be improved. The commission report said the program hasn’t been tested in how it resolves complaints.

To contact the reporter on this story: Stephen Gardner in Brussels at

To contact the editor responsible for this story: Donald Aplin at

For More Information

The Privacy Shield report is available at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security