Following twenty-seven EU and U.S. non-profit organizations in their letter of March 16, the Article 29 Working Party (WP29) in its opinion n° 01/2016 of April 13 and the EU Parliament in its resolution of May 26, it is now the turn of the European Data Protection Supervisor (EDPS) to express, in its opinion n° 4/2016 of May 30, its concerns about the compliance of the draft adequacy decision on the EU-U.S. Privacy Shield (available here) with the Schrems ruling. As a refresher, this ruling, issued on October 6, 2015 by the EU Court of Justice (CJEU) (C-362/14), invalidated the Safe Harbor framework, which allowed EU companies to transfer personal data to certain self-certified U.S. companies. Since the EDPS is one of the most influential voices on the CJEU regarding data protection matters, this opinion should be carefully considered.
The EU and U.S. negotiators are caught between competing sides. For obvious reasons, industry urges the negotiators to reach an agreement before the end of summer and the U.S. elections. On the other side, the WP29 and the EDPS outline the imperative to meet the requirements resulting from the Schrems ruling by reaching an agreement ensuring “a level of protection of fundamental rights and freedoms that is [not necessarily identical but] essentially equivalent to that guaranteed within the European Union“. The outcome of this negotiation relies on whether U.S. legislation will provide the guarantees of implementation and enforcement of the commitments made under the agreement.
In its opinion, the EDPS targets the lack of precision of certain provisions and recommends strengthening certain principles:
- Purpose limitation: data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;
- Data retention: data must not be retained longer than is necessary for the purpose for which it is processed;
- Automated processing: every person should have the right not to be subject to a decision based solely on automated processing which significantly affects him/her;
- Onward transfers: those transfers should not enable third parties and foreign importers to circumvent the Privacy Shield framework; and
- Data subjects’ right: the provisions addressing the right to access and the right to object should be improved.
The EDPS welcomes the efforts towards increased transparency in the information provided on access to data by U.S. authorities. However, according to the EDPS, the Privacy Shield should better specify the notion of “foreign intelligence” and the purposes for which derogations “necessary to meet national security, law enforcement or any public interest requirement” are possible.
The EDPS also recommends improving the redress mechanisms by providing specific commitments that (i) the proposed Ombudsperson will be able to act independently not only from the intelligence community but from any authority, (ii) the requests for information and cooperation from this Ombudsperson will be effectively implemented by all U.S. agencies, (iii) the level of protection of U.S. and non-U.S. data subjects will be identical. The EDPS encourages exploring the possibility of involving EU representatives in the assessment of the oversight system results.
One of the major merits of this opinion is to promote general and long-term objectives that can lead negotiations toward a stable agreement. According to the EDPS:
- The final adequacy assessment should not only include regulations directly related to the U.S. commitments but all federal and state laws that could allow access for public interest purposes;
- As required by the CJEU and the WP29, in order to check whether the finding relating to the adequacy decision is still factually justified, the annual joint review of the application of the Privacy Shield should not only include meetings with public and private entities but also “on-the-spot verifications“;
- Last but not least, the new elements of the General Data Protection Regulation (GDPR), which will replace the current Directive in about two years, should be put on the negotiating table, including the privacy by design and by default principles, data portability and the criteria for future third countries adequacy decisions.
For more information on the Privacy Shield and the GDPR, please refer to the following prior Password Protected blog posts: