After pointing out that the Privacy Shield Draft Adequacy Decision constitutes a step forward compared to the Safe Harbor Decision, in his Opinion from May 30th 2016, Giovanni Buttarelli, European Data Protection Supervisor, noted that such progress is not, in itself, sufficient.
Mr. Buttarelli reached this conclusion based on the fact that, according with the CJEU judgement in the Schrems case, the threshold for an adequacy assessment must be “essential equivalence”, meaning that an overall assessment of the European legal order and an examination of the most important elements of the data protection framework should be performed in global terms, thus respecting the essence of these elements.
Although noting that several organizations on both sides of the Atlantic are waiting for an outcome on the adequacy decision, the Supervisor recommended a future-oriented decision, thus predicting that the current draft adequacy decision would be invalidated by the CJEU and would have to be negotiated under the General Data Protection Regulation (GDPR). Mr. Buttarelli stressed also on the fact that the adequacy decision should, in particular, consider new elements of the GDPR which are not present in the Directive, such as the principles of privacy by design, privacy by default and data portability. The GDPR also provides clearer and more detailed criteria for adequacy decisions, including the existence and effective functioning of independent supervisory authorities in the third country in question. Even more interestingly for the case at hand, the GDPR extends the scope of application of the EU data protection framework. In fact, controllers or processors not established in the EU will be subject to EU rules as long as their processing activities relate to the offering of goods and services to individuals in the EU or the monitoring of their behavior. In such cases, therefore, such organizations will be required to comply directly with the GDPR.
The Supervisor’s main recommendations include:
- Integrating all main data protection principles, in particular, those regarding data retention, automated processing and purpose limitation. The provisions about onward transfers, the right to access and the right to object should also be improved.
- Bearing in mind that one of the reasons for the invalidation of the Safe Harbor Decision by the CJEU was the absence of findings on rules limiting interferences by US authorities with the rights of persons whose data is being transferred from the EU, the adequacy decision should better specify the purposes for which derogations are possible.
- The Supervisor recommended also the improvement of redress and oversight mechanisms and invited the European Commission to explore the feasibility of involving EU representatives in: (a) the assessment of the results of the oversight system for processing by U.S. authorities of personal data that have been transferred from the EU and, (b) the notification of certain categories of personal data to be processed by U.S. authorities, in particular where such processing may raise fundamental rights concerns.
Under the additional recommendations, the Supervisor called attention to the fact that the adequacy decision should assess also the full integration of the data minimization and data retention principles regarding transfers of personal data for commercial purposes. Furthermore, Mr. Buttarelli recommended the addition of safeguards to protect individuals from the effects of decisions taken based solely on the automated processing of personal data.
Regarding the purpose limitation principle, the Supervisor pointed out that terms such as “different purposes”, “materially different” purposes, or “a use that is not consistent with” are not clear and may cause misunderstandings and recommended therefore the use throughout the document of the term “(in)compatible purpose”.
With regard to the exceptions that the current draft decision encompasses, the Supervisor noted that their scope should be clearly stated in detail in the draft decision to ensure legal certainty. Furthermore, Mr. Buttarelli noted that some of these exceptions could be problematic since they may contradict key requirements of the EU data protection legislation.
The improvement of redress shall contemplate, according with the Supervisor, an improvement of the system building on the voluntary option for certified organizations to be subject to supervision by the DPAs and, as the WP29 also recommended, that privacy policies include the possibility for EU individuals to bring claims for damages in the EU. Furthermore, as long as non U.S. persons do not always enjoy the same rights as U.S. persons under the U.S. legal system, the relevance of oversight and redress mechanisms for the Privacy Shield is limited. The Supervisor recommended therefore, the implementation of additional safeguards for independent supervision and redress in the case of access for law enforcement and other public interests purposes.
With regard to oversight, Mr. Buttarelli recommended that the U.S. authorities systematically and effectively monitor compliance with the Privacy Shield principles, for example, by on-site visits or inspections on the premises of self-certified organizations to investigate compliance with the Privacy Shield principles. The operation of DPA Panels should also be more precisely defined in comparison to the panel established by the Safe Harbor.