On July 26, 2016, following the adoption of the EU-U.S. Privacy Shield decision on July 12, the Article 29 Working Party (WP29) held a press conference[1] with a view to express its opinion regarding the adoption of the Commission’s decision regarding this important matter.

After welcoming the improvements brought by the Privacy Shield, compared to the Safe Harbour decision and commending the Commission and the U.S. Government for taking into account the Working Party’s concerns regarding the draft EU-U.S. Privacy Shield adequacy decision, the WP29 pointed out that a number of its concerns remain in the final version of the Privacy Shield, in particular, regarding the commercial aspects and, especially regarding the most sensitive part of the decision, that is, the access of U.S. authorities to data transferred from the EU.

With regard to the commercial aspects, the WP29 regretted, in particular, the lack of specific rules on automated decisions and of a general right to object and also the lack of clarity regarding the rules applicable to processors.  This last concern involves, from our perspective, great importance due to the greater responsibilities imposed on data processors according to the General Data Protection Regulation to enter into force in 2018.

Regarding the access of U.S. authorities to data transferred from the EU, the WP29 commented that it would have expected stricter guarantees regarding the powers of the Ombudsperson mechanism and that there’s a lack of concrete assurances regarding the commitment of the ODNI not to conduct mass and indiscriminate collection of personal data.

Faced with this scenario, the Working Party stated that the first joint annual review will be a “key moment” to prove the robustness and efficiency of the Privacy Shield.  The WP29 stressed especially on the need to clearly define the role of the national DPAs in the course of the review and on the need for all the involved parties to have access to the information relevant to evaluate, for example, the necessity and proportionality of the collection and transfer of data by public authorities.

Even more interestingly, the WP29 stated that -within the framework of the first joined annual review- its national representatives will also assess if the safeguards provided under the Privacy Shield are “workable and effective” and that the results of the first review with regard to data access by U.S. authorities to data transferred from the EU may also impact other tools, like Binding Corporate Rules and Standard Contractual Clauses.

In view of the adoption of the Privacy Shield and having the Schrems judgement and the WP29 Opinion 238 in mind, the Working Party committed itself to “proactively and independently” assist data subjects when exercising their rights under the Privacy Shield, to provide information to data controllers with regard to their obligations under this scheme, to provide comments regarding the citizens’ guide published by the commission[2], to make suggestions for the composition of the EU centralized body and to make suggestions regarding the organization of the first annual joint review.

We have shared and commented the opinion of the WP29 regarding the adoption of the Privacy Shield scheme since the negotiations with regard to this important matter started, because we believe the Working Party plays a fundamental role when supporting -or, conversely contesting- the Commission’s decisions regarding the right to the protection of personal data and therefore in the definition of the final shape the agreement regarding EU data transfers to the U.S. will take.  After the press conference held on July 26, we will therefore continue to keep a close eye on the Working Party’s reactions to the implementation of the Privacy Shield decision.

We will also carefully follow the referral of model clauses to the European Court of Justice[3] that may be required by the Irish Data Protection Commissioner as a result of their thorough efforts to investigate Mr. Max Schrems’ complaint and to assure secure transfers of EU data into the U.S.


[1] http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2016/20160726_wp29_wp_statement_eu_us_privacy_shield_en.pdf

[2] http://ec.europa.eu/justice/data-protection/document/citizens-guide_en.pdf

[3] https://www.dataprotection.ie/docs/25-05-2016-Statement-by-this-Office-in-respect-of-application-for-Declaratory-Relief-in-the-Irish-High-Court-and-Referral-to-the-CJEU/1570.htm