Data watchdogs threaten legal challenge to Privacy Shield unless oversight mechanisms are strengthened

Out-Law News | 08 Dec 2017 | 10:19 am | 2 min. read

Data protection authorities in the EU have threatened to initiate a legal challenge against the European Commission's decision to endorse the EU-US Privacy Shield unless their "prioritised concerns" about the framework are not addressed by 25 May 2018.

The watchdogs, through umbrella body the Article 29 Working Party, said that it has concerns about "commercial aspects of the Privacy Shield" as well as provisions which allow US authorities to access personal data held by companies signed up to the Privacy Shield for law enforcement and national security purposes.

The Privacy Shield is a framework which enables US businesses that self-certify to a number of privacy principles to transfer personal data from the EU to the US in line with the requirements of EU data protection law. The Privacy Shield has been operational since August 2016.

In September this year, EU and US officials conducted the first annual review of the Privacy Shield. In its report on the review published in October, the European Commission identified improvements that could be made to the framework but concluded that it "continues to ensure an adequate level of protection for the personal data transferred".

In a statement at the time, however, the Working Party said that although it was consulted on the contents of the Commission's report, it would conduct its own analysis of the conclusions reached and publish its own report.

In its report, the Working Party (WP29) has now identified specific concerns that it said need to be addressed, and threatened a legal challenge unless the improvements are implemented by 25 May next year – the date on which the EU's new General Data Protection Regulation (GDPR) will begin to apply.

"The WP29 has identified a number of significant concerns that need to be addressed by both the Commission and the US authorities," the watchdog said. "Therefore the WP29 calls upon the Commission and the US competent authorities to restart discussions. An action plan has to be set up immediately in order to demonstrate that all these concerns will be addressed."

By 25 May 2018, the Working Party said it requires US law makers to appoint a permanent ombudsperson to handle complaints relating to the accessing of EU citizens' personal data by US intelligence agencies, in line with the requirements set out in the Privacy Shield agreement, and to further explain and declassify "the rules of procedure" that apply. The Working Party also said members of another oversight body, the US Privacy and Civil Liberties Oversight Board, should also be appointed by the same date.

"Those prioritised concerns need to be resolved by 25 May 2018," the Working Party said. "The WP29 expects the remaining concerns raised in the report to be addressed at the latest at the second joint review."

"In case no remedy is brought to the concerns of the WP29 in the given time frames, the members of WP29 will take appropriate action, including bringing the Privacy Shield adequacy decision to national courts for them to make a reference to the CJEU for a preliminary ruling," it said.

A motion put forward by MEPs earlier this year cited concerns with the Privacy Shield, including how the scheme addresses US bulk surveillance powers and accounts for judicial redress for EU citizens in the US. It also highlighted concerns about limitations on the rights of data subjects and inconsistencies in wording compared with EU data protection law.

The Privacy Shield has also drawn criticism from privacy campaigners and is already the subject of legal challenges.