Europe’s data protection chiefs have fired a warning shot across the bows of the executive body of the Union ahead of the first annual review of the EU-US Privacy Shield.
The data transfer framework, which was agreed in February 2016 and opened for sign-ups last August, is now used by more than 2,000 companies to transfer the personal data of EU citizens to the US for processing without risk of breaching fundamental European privacy rights.
The core idea is a framework that bridges two very different legal regimes.
Privacy Shield replaces the prior Safe Harbor arrangement, which stood for fifteen years before being invalidated by Europe’s top court after a legal challenge that was largely focused on US government mass surveillance practices as a breach of EU privacy rights.
The replacement, which the Commission argues offer more robust privacy guarantees, has always had its critics who claim it contains the same fundamental flaws as its predecessor arrangement, not least on account of ongoing bulk data collection practices in the US. It is already facing legal challenges.
It also arguably looks especially precarious placed in Trump’s America, given the president’s apparent disregard for the rights of non-Americans. And the implications of the new guard in the White House are clearly front of mind for the EU’s Article 29 Working Party going ahead of the first annual review; aka the body made up of representatives from Member States’ data protection agencies.
The group set out a series of concerns about Privacy Shield as far back as April 2016. They’re now gearing up for the annual review, due to take place in the US in September, and today say they’ve sent the EC a letter setting out their views and recommendations, and reserving the right to publish their own report “subject to the outcome of the Joint Review and the report of the Commission”.
So, in other words, it’s a warning shot to the Commission not to try to make the review a pantomime, tick-box exercise.
The WP29 describes the forthcoming review as “a fact-finding mission in order to collect the relevant information and necessary evidence to assess the robustness of the Privacy Shield”.
Its concerns span both commercial elements and law enforcement/national security considerations pertaining to the framework — including raising recent developments in US law that might impact privacy (for example, in January president Trump caused alarm in Europe with an Executive Order that strips privacy rights from non-US citizens); and the fact that a key ombudsperson role, created as part of the data transfer framework, has yet to be appointed.
The US is also currently engaged in debate over reforming Section 702 of the FISA — which has implications for how the data of non-US citizens can be treated by US national security agencies.
Discussing its concerns, the WP29 writes today:
… for the commercial part, the WP29 has questions concerning, among others, the existence of legal guarantees regarding automated decision making or the existence of any guidance made available by the DOC regarding the application of the Privacy Shield principles to organisations acting as agents/processors. Clarifications that will be sought also include the definition of human resources data.
Regarding the law enforcement and national security part, the WP 29 has questions relating in particular to the latest developments of US law and jurisprudence in the field of privacy. The WP29 also seeks, inter alia, precise evidence to show that bulk collection, when it exists, is “as tailored as feasible”, limited and proportionate. In addition, the WP29 stresses the need to obtain information concerning the nomination of the four missing members of the PCLOB [Privacy and Civil Liberties Oversight Board] as well as on the appointment of the Ombudsperson and the procedures governing the Ombudsperson mechanism, as they are key elements of the oversight architecture of the Privacy Shield.
The group also notes that more questions about the robustness and operation of the arrangement may well arise during the review process — which it says should last at least two to three days in order to allow for “sufficient time to conduct an assessment”.
It also says it has suggested a list of US authorities that should be part of the Joint Review, and will be sending eight of its own personnel to be part of the review team — from “commissioners to experts at staff level”.
“The first joint annual review will be… a key moment for the WP 29 to assess the robustness and effectiveness of the Privacy Shield mechanism,” it adds.
At the time of writing the EC had not responded to a request for comment.
Update: In an emailed statement Commission spokesman told us: “As part of the preparations we are now consulting the companies who subscribed to it, privacy NGOs, as well as our American counterparts to prepare the agenda,” adding: “Consulting with our EU data protection authorities is also part of this process.”
Responding specifically to the WP29’s statement today, the spokesman added: “We will take this input into account in our preparations of the review. It is already foreseen by the Commission’s adequacy decision (Privacy Shield decision) that the data protection authorities will participate in the review.”
We understand that areas the Commission is intending to cover as part of the review include: looking at how US companies comply with their data protection obligations and the mechanisms they have put in place to ensure a speedy handling of complaints; how the Department of Commerce and the FTC certify companies, monitor compliance and cooperate with EU Data Protection Authorities in the enforcement; the operation of the rules regarding access by public authorities, and rules and procedures to ensure the Ombudsperson mechanism functions well; and also issues identified already in the EC adequacy decision, such as dialogue on automated decision-making, as well as any developments in U.S. law that might raise questions concerning the EU-U.S. Privacy Shield.