The Article 29 Working Party has today issued a statement on the EU-US Privacy Shield adopted by the European Commission on 12th July 2016. The Privacy Shield scheme is due to go live on 1 August 2016.
We have used some technical terms in this note which are explained in our glossary here http://www.corderycompliance.com/eu-data-protection-regulation-glossary/
The WP29 statement says that having previously expressed concerns on and sought clarifications about Privacy Shield:-
a number of these concerns remain regarding both the commercial aspects and the access by U.S. public authorities to data transferred from the EU. “
Those concerns include:
- the lack of specific rules on automated decisions and of a general right to object
- uncertainty of the situation with data processors – this is likely to be of special concern given the greater responsibilities imposed on data processors in the GDPR from May 2018. You can read more about this here
- concerns with the US mass collection of personal data and the lack of ‘concrete assurances’
- concerns over the US ombudsman scheme
WP29 have highlighted the fact that Privacy Shield is subject to annual review. It would seem that, as we predicted earlier, the annual review will be a critical moment for Privacy Shield given the likely scrutiny from both WP29 and the European Parliament.
Pending the annual review “the DPAs within the WP29 commit themselves to proactively and independently assist the data subjects with exercising their rights under the Privacy Shield mechanism, in particular when dealing with complaints”. It is likely that we will continue to see the adequacy of Privacy Shield schemes tested in the same way as we have already had enquiries in Germany and France into Safe Harbor. There is more on those investigations here.
Possibility of court challenge
We looked previously at the Irish referral of model clauses to the European Court of Justice (ECJ) as the result of a new complaint by Max Schrems. You can find our summary of that case here http://www.corderycompliance.com/ireland-to-refer-schrems-matter-to-european-court-for-legal-clarity-about-model-clauses/. The Irish Data Protection Commissioner had previously indicated to the court that she may ask the court to refer Privacy Shield to the ECJ as part of the same case. At a hearing in Dublin yesterday the judge, Mr Justice Brian McGovern, fixed that hearing for 7 February 2017. According to the court, the case will run for up to three weeks. This may mean that the case will not come to the ECJ before the end of 2018 for a hearing there. It is likely then that the threat of a court striking down Privacy Shield, as they struck down Safe Harbor, may remain.
What can I do?
Our Privacy Shield FAQs contain more information on next steps. You can see that here http://www.corderycompliance.com/privacy-shield-faqs/. It may be that Privacy Shield will be right for some organisations and given likely further announcements in the next few days it would be wise to keep the situation under review.
You can read the WP29 statement on Privacy Shield here and also view our helpful Frequently Asked Questions here which look at our initial thoughts on Privacy Shield. You can also see a short film explaining some of the issues below.
For more information please contact Jonathan or André who are lawyers with Cordery in London where their focus is on compliance issues.
Office: +44 (0)207 075 1784
Office: +44 (0)207 075 1785