On 18 and 19 September 2017, the first joint review of the Privacy Shield took place in Washington, DC. After the
publication of the report of the European Commission on 18 October 2017, the Article 29 Working Party (“ WP29”)* has now also published its findings. The WP29 has been critical of the Privacy Shield from the beginning, and announced prior to the joint review that it would not necessarily follow the conclusions of the European Commission. In its opinion, the WP29 raises serious doubts with respect to the functionality of the Privacy Shield.
Judgment of the WP29: many problems (still) not addressed
The WP29 is of the view that the Privacy Shield, as a whole, is an improvement on the invalidated Safe Harbor decision. Moreover, the WP29 considers the increased transparency of the American government with regard to its use of surveillance to be a positive development. However, the WP29 has identified several significant remaining concerns:
- Lack of information and guidance. The American government should do more to inform both the organisations that certify under the Privacy Shield and the EU-citizens about their rights and obligations. Especially given the fact that the Privacy Shield works on the basis of self-certification, it is necessary that all parties are clear on how the principles of the Privacy Shield should be applied.
- Lack of oversight. The American government does not provide sufficient oversight with regard to the organisations that are party to the Privacy Shield. Although the certification process is monitored by the government, after that there is no supervision as to whether the organisations are indeed adhering to its principles. This is worrying in light of the fact that the content of the privacy policies of the organisations are not reviewed during the certification process.
- Data collection by the government. The WP29 calls upon the American government to substantiate their claim that there is no indiscriminate collection of data and that access is not conducted on a generalized basis.
- Privacy and Civil Liberties Oversight Board. As did the European Commission, the WP29 urges the American government to rapidly appoint new members to vacancies on the board.
- Ombudsperson. The WP29 calls for a swift appointment of a permanent Ombudsperson. Moreover, the WP29 notes that the American government has deemed certain information -for example on the relation between the Ombudsperson and the intelligence services- to be classified, making it difficult for the WP29 to evaluate whether the Ombudsperson has adequate powers to fulfil its position. Finally, the WP29 considers it problematic that the decisions of the Ombudsperson are not subject to judicial review.
Although several of the abovementioned points were also raised by the European Commission, the WP29 draws a much bleaker conclusion. In its current form, the Privacy Shield does not offer the safeguards necessary to legitimise the transfer of data between Europe and the United States. The WP29 therefore calls upon the European Commission and the American government to start addressing these issues as soon as possible. With regard to the Ombudsperson and the appointment of the other members of the Privacy and Civil Liberties Oversight Board, the WP29 sets 25 May 2018 as a deadline (the day on which the General Data Protection Regulation will become applicable in the whole European Union). For the other issues, the WP29 requires these to be addressed ultimately at the next joint review. If this is not the case, the WP29 may seek to obtain a preliminary ruling of the Court of Justice of the European Union on the validity of the Privacy Shield.
* The WP29 is a European body of representatives of all national data protection authorities of the Member States. The WP29 regularly publishes guidelines and opinions pertaining to data protection.