EU-US Privacy Shield: Trouble Ahead?

On 29 February, the European Commission published the draft texts that constitute the EU-US Privacy Shield.

The Article 29 Working Party quickly followed this up with a press release, welcoming the publication of the EU-US Privacy Shield, but stating (somewhat ominously) that the draft texts “have to be analysed with great attention as regards the need for restoring trust in transatlantic data flows”.

The final opinion of the Article 29 Working Party on the EU-US Privacy Shield is expected tomorrow (13 April).

A leaked mandate from the DPA of the German state of Baden-Württemberg (following a meeting of the German DPAs) to the German representatives in the Article 29 Working Party could suggest that the Article 29 Working Party may reject the EU-US Privacy Shield in its current form. It is not clear whether the views expressed in the mandate also reflect the consensus of the Article 29 Working Party but it certainly indicates that the discussions will not be straightforward.

What does this leaked mandate say?

The leaked mandate appears to quote several paragraphs from the draft opinion of the Article 29 Working Party. It appears from these quotes that, until certain identified issues are addressed, the EU-US Privacy Shield is rejected as it does not ensure a level of protection essentially equivalent to that in the EU:

“Until these issues are addressed, the WP29 considers it is not in a position to reach an overall conclusion on the draft adequacy decision. […] Therefore, the WP29 is not yet in a position to confirm that the current draft adequacy decision does, indeed, ensure a level of protection that is essentially equivalent to that in the EU.”

Furthermore – and crucially – the quotes appear to question the validity of other transfer mechanisms for transfers from the EU to the US (such as the model contract clauses or BCRs):

“[The Article 29 Working Party] stresses that some of the clarifications and concerns – in particular relating to national security – may also impact the viability of the other transfer tools.”

The European Commission is therefore requested to review the EU-US Privacy Shield immediately on the basis of the concerns raised.

The mandate goes on to say that, if the European Commission does adopt the EU-US Privacy Shield without addressing these concerns , the Article 29 Working Party will support test cases and legal actions against the EU-US Privacy Shield before the European Court of Justice. If this is the approach taken by the Article 29 Working Party, it may make the European Commission think twice.

What will happen next?

The Article 29 Working Party is today (12 April) finalising its opinion on the EU-US Privacy Shield. We understand that the positions in the leaked mandate are not final and are still the subject of (legal and political) discussions.

Once issued, we will update this blog with the position taken in the final opinion of the Article 29 Working Party. Should the final opinion confirm the position in the leaked mandate, companies will continue to face legal uncertainty regarding transfers of personal data to the US.