The Working Party of European Union Data Protection Authorities ("WP29") recently issued its opinion on the draft EU-U.S. Privacy Shield Adequacy Decision ("Privacy Shield"). As part of the internal EU "comitology" review process for Privacy Shield, WP29 provides a non-binding, yet influential, opinion to the European Commission and Art. 31 Committee ̶ the bodies that will each need to approve Privacy Shield.
What Does The WP29 Opinion Mean For Organizations?
Given its role as the champion of privacy rights, it is not surprising that WP29 identifies concerns with Privacy Shield and recommends clarifications and improvements to the text. It is noteworthy, however, that WP29 indicates that Privacy Shield offers "major improvements" as compared to its predecessor, the U.S.-EU Safe Harbor Privacy Arrangement ("Safe Harbor"). Organizations considering whether to certify to Privacy Shield, or to rely on other organizations that do, should carefully consider the views of WP29. Even if Privacy Shield is promulgated by the EU in its current form without modification, data protection authorities ("DPAs") will retain substantial power to review individual data transfers made under Privacy Shield. As such, the WP29 opinion is a roadmap to key points that might be examined by DPAs in such individual cases.
What Concerns Are Expressed In The WP29 Opinion?
The concerns noted in the WP29 opinion include the lack of an obligation to delete EU personal data once it is no longer necessary, the failure to exclude the “massive and indiscriminate” collection of EU personal data by the U.S. government, and the practical effectiveness of the Ombudsperson mechanism. Particular areas for improvement include the use of clear and consistent terminology, adequate protections for onward transfers (transfers of EU personal data from the U.S. to other countries), clarity on current and future U.S. laws that impact the ability of law enforcement to access EU personal data, consistency with EU data protection laws (in particular, the General Data Protection Regulation), and adjustments to the annual review process of the adequacy of Privacy Shield.
What Does The WP29 Opinion Mean For Privacy Shield?
The WP29 opinion is not unexpected. It is not binding upon the European Commission, and does not mean that Privacy Shield is not viable. However, the opinion has likely influenced the Article 31 Committee ̶ made up of representatives of each of the EU member states and chaired by a Commission representative ̶ which failed to reach consensus on Privacy Shield on May 19th and will now hold further discussions before voting on Privacy Shield. The opinion will also most likely be scrutinized by, and influence, the European Commission, which will have the final say over Privacy Shield but can only adopt Privacy Shield if the Art. 31 Committee votes in favor of it.
Despite the additional steps and concerns with Privacy Shield, the expectation is that many U.S. organizations will find the adoption of Privacy Shield to be a helpful tool to facilitate compliance with EU data transfer restrictions. Our recent survey at the IAPP Privacy Summit in Washington, DC shows that a majority of respondents believe that companies should certify within the first two months of the adoption of Privacy Shield to take advantage of the grace period. Many organizations are nevertheless also expected to maintain model clauses, binding corporate rules, and other solutions "on top" of Privacy Shield. Depending on factors such as the jurisdictions where operations or customers are located, such additional solutions may remain an important means to obtain certainty about data protection regulatory compliance for global transfers in an otherwise uncertain data protection world.