Keep up to date with our blog articles, latest news and industry developments. See below for the latest posts or use the category listings to hone your search for stories of interest.
EU-US Privacy Shield: more work required
The EU’s Article 29 Working Party has raised a number of areas of concern about the replacement for Safe Harbor.
On 13 April 2016, the Article 29 Working Party (Working Party), the EU’s independent data protection advisory body, published its Opinion on the draft adequacy decision on the EU-US Privacy Shield scheme which has been proposed to replace the EU-US Safe Harbor scheme that was invalidated last November following the Schrems decision (see our previous update summarising Privacy Shield here).
The Working Party’s key aim is to ensure that an equivalent level of protection is afforded to individuals when their data is transferred from the EU to the US and processed under the terms of the Privacy Shield scheme as when it is processed in the EU under the EU data protection legal framework.
The European Commission published its draft adequacy decision setting out the new Privacy Shield framework (Draft Adequacy Decision) on 29 February 2016. Since then, the Working Party has been analysing and assessing the level of protection that the proposed framework affords in light of the Schrems decision and taking into account the fundamental rights to privacy and data protection and the number of individuals potentially affected by transfers.
Whilst the Working Party considers that the Draft Adequacy Decision has made significant improvements on the Safe Harbor decision and represents a step forwards from the Safe Harbor position, it also raises the following as being key areas of concern:
1. Inadequate coverage of protection principles: some of the key data protection principles in the current EU legal framework are, in the Working Party’s view, not reflected in the Draft Adequacy Decision, or have been inadequately substituted by alternative notions. In particular:
- Data retention: there is no express data retention principle which means that US organisations which participate in Privacy Shield could retain personal data as long as they wish to rather than only retaining it for as long as is necessary to fulfil the relevant purpose;
- Purpose limitation: the application of the purpose limitation principle to the processing of personal data is unclear. The Working Party maintains that it must be made clear that an organisation will not be permitted to process data for a purpose which is materially different to the purpose for which it was collected;
- Safeguards: there are no safeguards for individuals who are the subject of automated decision making processes which could have a significant impact on them. The Privacy Shield scheme should, in the Working Party’s view, at a minimum contain safeguards to ensure that the rights of individuals are not severely diminished by these automated decisions including the right to know the logic involved and the right to request a reconsideration on a non-automated basis.
2. Onward transfers: the onward transfer of data from a Privacy Shield organisation to an organisation in a third country should again provide an equivalent level of protection for individuals and should not be used to circumvent the protections afforded to individuals by the EU legal framework. In addition, Privacy Shield organisations should be required to assess whether the laws of the relevant third country could have an adverse effect on the protections afforded under the Privacy Shield. If the transfer were to have such an impact, then that transfer should be prohibited.
3. Redress mechanisms: the complexity and lack of clarity in respect of the redress mechanisms for individuals could result in their rights being undermined. In addition, the fact that most of the redress mechanisms envisage a US based procedure could, in the Working Party’s view, hinder the ability of EU data protection authorities to monitor such procedures.
4. National security: the ability for the US government to derogate from the Privacy Shield principles for national security purposes has raised a number of concerns for the Working Party, namely:
- whether the derogations are justifiable. The lack of transparency, the broad ranging scope of certain surveillance legislation and the uncertainty regarding its practical effect could make it difficult to gauge when the US authorities would be permitted to derogate from the privacy principles;
- the right for the US authorities to continue to bulk collect indiscriminate data, which is inconsistent with the EU data protection legal framework;
- the establishment of an ombudsman that may not be sufficiently independent, may not adequate powers and which therefore may not be able to guarantee a satisfactory remedy.
5. GDPR: the impact of the General Data Protection Regulation (GDPR – see our latest update here) and the importance of a further review to ensure that there is consistency between the Privacy Shield and the new legal framework to be implemented under the GDPR.
The next step in the process of formally adopting the Draft Adequacy Decision will be to seek the opinion of EU member states’ representatives. In the meantime, the Chairwoman of the Working Party has confirmed that data transfers to the US may still take place under the existing data transfer mechanisms, principally being EU Model Clauses and/or Binding Corporate Rules.
There are many businesses which, prior to the Schrems decision, relied on Safe Harbor to legitimise data transfers from the EU to the US for a range of purposes from transferring internal records relating to employees to procuring or providing outsourced business services. Such businesses have experienced considerable disruption following Schrems due to the need to rely on alternative compliance options such as implementing data transfer contracts incorporating EU Model Clauses.
Whilst the Privacy Shield proposals require refinement to accommodate the concerns of the Working Party summarised above, as well as any further concerns or suggestions that may be raised by member states in the next stage of the process, the overall direction of travel towards a viable replacement for Safe Harbor in the not too distant future will be widely welcomed.
Click here for the Opinion.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.