Data watchdogs give EU-US Privacy Shield the green light for a year

Out-Law News | 28 Jul 2016 | 11:09 am | 2 min. read

EU data protection authorities have signalled that they will not challenge the legitimacy of data transfer arrangements under the new EU-US Privacy Shield during the first year of its operation.

The Article 29 Working Party said, though, that national data protection authorities (DPAs) within the EU "commit themselves to proactively and independently assist the data subjects with exercising their rights under the Privacy Shield mechanism, in particular when dealing with complaints" during the period.

From 1 August the Privacy Shield will allow US businesses to self-certify their compliance with a set of privacy principles and, as a result, transfer personal data from the EU to the US.

The European Commission has deemed that data transfers handled in accordance with the Privacy Shield principles will adhere to EU data protection law requirements. The Commission negotiated amendments with US counterparts to an earlier draft of the framework following criticisms raised by the Working Party earlier this year.

In a new statement the Working Party welcomed the fact its concerns were "taken … into consideration in the final version of the Privacy Shield documents", but said it still has some issues with the framework.

However, it suggested that it would not seek to challenge the legitimacy of the Privacy Shield during the first year of its operation. It also suggested businesses are free to continue using binding corporate rules (BCRs) and model contract clauses during that time to underpin their EU-US data transfer arrangements, although the EU's highest court could review the legitimacy of model clauses as data transfer tools in a forthcoming case.

The Working Party said the "the first joint annual review" of the Privacy Shield would be "a key moment for the robustness and efficiency of the Privacy Shield mechanism to be further assessed". At the review it said it plans to "not only assess if the remaining issues have been solved but also if the safeguards provided under the EU-US Privacy Shield are workable and effective".

The Privacy Shield documents provide for a joint annual review of the way the Privacy Shield is functioning, and will involve a meeting of representatives from the US Department of Commerce, the Federal Trade Commission and potentially other US agencies together with officials from the European Commission and EU data protection authorities.

The Working Party said: "The results of the first joint review regarding access by US public authorities to data transferred under the Privacy Shield may also impact transfer tools such as Binding Corporate Rules and Standard Contractual Clauses."

Previously the Working Party said the Privacy Shield did not protect sufficiently against bulk processing of EU citizens' data by US authorities and that it was not satisfied that a new ombudsperson, to be tasked with handling complaints relating to the accessing of EU citizens' personal data by US intelligence agencies, would be independent.

In its latest statement the Working Party said the Commission had not obtained "concrete assurances" from the US that it will not undertake "mass and indiscriminate collection of personal data", and said it "would have expected stricter guarantees concerning the independence and the powers of the ombudsperson mechanism".

The Working Party also highlighted remaining concerns with some "commercial aspects" of the framework.

It said it "regrets … the lack of specific rules on automated decisions and of a general right to object" and said it "also remains unclear how the Privacy Shield Principles shall apply to processors".

Information law specialist Cerys Wyn Davies of Pinsent Masons recently looked into the practical steps US companies need to take to self-certify under the Privacy Shield. Microsoft has announced its intention to sign up to the Privacy Shield.