EU-US Privacy Shield rejected by European data protection authorities: what does this mean for your business?

The Article 29 Working Party (WP29) today published its final Opinion on the EU-US Privacy Shield proposed by the European Commission on 29 February.

This Opinion was eagerly expected and follows a period of intense political discussions and lobbying. Discussions were often heated, with major US tech companies such as Microsoft coming to the defence of the EU-US Privacy Shield, whilst a well-known privacy advocate called the EU-US Privacy Shield “ten layers of lipstick on a pig”.

As reported yesterday, leaked documents suggested that the WP29 would both reject the EU-US Privacy Shield and question the validity of the other EU-US transfer mechanisms.

In its final Opinion, the WP29 has now partially – but, importantly, not fully – confirmed the position which was reported in the leaked documents.

Interestingly, the WP29 President, Isabelle Falque-Pierrotin, reported in the press conference presenting the WP29 position, that the first reaction of the WP29 when receiving the EU-US Privacy Shield was positive given that it addresses many concerns formulated by the WP29 against the (invalidated) Safe Harbor regime. However, although the WP29 states that the EU-US Privacy Shield is a substantial improvement on the Safe Harbor regime, the WP29 states that there are “serious concerns” that must be resolved “in order to improve the draft adequacy decision and ensure [that] the protection offered by the Privacy Shield is indeed essentially equivalent to that of the EU”.

In particular, the WP29 points in its final Opinion to the following concerns in regard to the EU-US Privacy Shield:

• The overall presentation and wording used to address the principles set out by the EU-US Privacy Shield lack clarity.
  Certain key data protection principles are not expressly reflected in the EU-US Privacy Shield. In particular, the WP29 points out that the data retention principle is not expressly mentioned, and that the application of the purpose limitation principle is unclear. The WP29 recommends that the EU and the US agree on the definition of the terms used for the key data protection principles.
• The WP29 also points out that onward transfers from companies based in the US to other entities based outside of the US, would need to be better addressed and in particular that the current wording of the EU-US Privacy Shield lacks guarantees as to the level of protection required when such onward transfers occur. This point is particularly important considering that most data transfers do not occur only in one country but flow between different countries. The WP29 therefore intends to avoid that the EU-US Privacy Shield creates a back door for transfers without guarantees to third countries.
• Despite the fact that the WP29 recognises the importance of the collection of data as part of the fight against terrorism, the WP29 rejects the massive and indiscriminate collection of personal data. It considers that the EU-US Privacy Shield still allows for such massive and indiscriminate collection of personal data for national security reasons. Together with its final opinion on the Privacy Shield as referred to above, the WP29 also published a document setting out the essential guarantees that any processing for national security reasons must comply with.
• There are insufficient guarantees that the Ombudsperson, one of the key redress mechanisms available to European citizens, is sufficiently independent and vested with adequate powers to effectively guarantee a satisfactory remedy.
• Finally, the WP29 calls for a review of the Privacy Shield in light of the GDPR shortly after its entry into application.

However, there is a silver lining: the WP29 does not (contrary to what was suggested in the leaked documents) question the validity of the other EU-US transfer mechanisms such as model contract clauses and binding corporate rules. Therefore, companies can (at least for the moment) continue to rely on these alternative transfer mechanisms.

Based on the concerns raised, the WP29 requests that the European Commission review the EU-US Privacy Shield and address its concerns. Interestingly, the WP29 does not impose any calendar.

In an initial reaction, the European Commission has stated that it will review the EU-US Privacy Shield and undertake its best efforts to address the WP29’s concerns.

The big question will however be whether US authorities will be prepared to change some of the key principles in the EU-US Privacy Shield, in particular in relation to data processing for national security reasons. With US negotiators already having pointed out that they have little room for negotiation, any renewed EU-US negotiations will likely be tough, with unpredictable results.

Alternatively, the European Commission could decide to forge ahead with adopting the EU-US Privacy Shield, ignoring the concerns raised by the WP29. However, this is a risky move, as both the German DPAs (in leaked documents) and several privacy advocates have already stated that they are willing to bring and support test cases against the EU-US Privacy Shield (if adopted in its current form) before the European Court of Justice.

Whatever option the European Commission chooses, there is likely to remain substantial legal uncertainty as to the feasibility of the EU-US Privacy Shield for some time to come. Companies will therefore be forced to rely on alternative transfer mechanisms (such as the model contract clauses) to legitimise data transfers to the US.

One (important) question mark remains though: will all data protection authorities again authorise transfers of personal data to the US? This question is still pending especially after some data protection authorities expressly announced in November 2015 that they would not accept data transfers to the US even when based on alternative transfer mechanisms. Reactions from local data protection authorities may give us some more food for thought in the coming days.

[by Peter Van Dyck and Emmanuelle Bartoli, 13 April 2016]