WP29 threatens legal action over EU-US Privacy Shield concerns

On September 18 and 19, 2017, eight representatives from the Article 29 Data Protection Working Party (WP29) initiated the first European Commission (EC) joint review of the EU-US Privacy Shield. According to the Privacy Shield website:

“The EU-US and Swiss-US Privacy Shield Frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.”

The advisory body comprises representatives from the data protection authority of each EU member state, plus the European Data Protection Supervisor and the EC. The review took place in Washington, DC with relevant US authorities.

On November 28, 2017, the WP29 held the 113th plenary meeting, where it issued opinions and advisory based on the annual review. The good news is the WP29 supports US authority efforts to implement policies and procedures that perpetuate the Privacy Shield. It also recognizes that the Privacy Shield is an advancement over Safe Harbor, which was ruled invalid on October 6, 2015.

And now the bad news

The WP29 says, in terms of achieving compliance, several Privacy Shield areas would benefit from increased oversight and supervision from senior management and third party certifying bodies. Presently, WP29 asserts there is a lack of guidance and information.

Other major recommendations include:

  • Delineating data processors from data controllers during self-certification and throughout checks
  • Addressing absence(s) or limitation(s) to data subjects’ rights
  • Improving HR data
  • Ensuring uninterrupted protection for data subjects

Comments on 702 FISA and EO 12 333

The decision to reauthorize Section 702 of the Foreign Intelligence Surveillance Act (FISA) is upcoming and, if the reauthorization were to pass, a number of improvements should be made. The WP29 believes that the Privacy and Civil Liberties Oversight Board (PCLOB) should be able to complete research and analysis, and deliver its anticipated report on the controversial EO 12 333 with regards to data protection. The executive order extends US intelligence authority and mandates that leaders of US federal agencies cooperate fully with CIA requests for information.

WP29 calls for immediate action plan

The WP29 believes that an action plan is needed immediately. Therefore, discussions between the EC and US regulating authorities should recommence sooner rather than later. The board recognizes that there are vacancies on the PCLOB and believes that it is necessary to appoint the right personnel as soon as possible.

The WP29 also seeks a better understanding of the ombudsperson selection process through rules declassification so that the selection can be prioritized.

The WP29 has set a resolution due date of May 25, 2018 and no later than the second joint review. The board is prepared to take legal action against the Privacy Shield adequacy decision in national courts for “them to make a reference to the [Court of Justice of the European Union] for a preliminary ruling.”

Privacy Shield implementation by the Department of Commerce

  • 2,400 organizations have self-certified under the Privacy Shield. 60% are SMEs (micro-, small-, and medium-sized enterprises)
  • 1,590 self-certified during the first two months;
  • 150 companies recertified, 1 failed to recertify, and 10 withdrew
  • 2,492 companies finalized self-certification. 78 are awaiting initial review and 404 received requirements for further revision following an initial policy review

Gain a clear understanding of the GDPR and the EU-US Privacy Shield with the EU GDPR and EU-US Privacy Shield – A Pocket Guide, which explains:

  • The terms and definitions used within the GDPR and the EU-US Privacy Shield, in simple terms
  • The key requirements
  • How to comply with the Regulation