In a press conference held yesterday, April 13th at 1.00 PM, Article 29 Working Group presented their opinion on the EU-US Privacy Shield. You can find the press release here.
In a rather impeccable presentation, Isabel Falque-Pierrotin (chairman of Article 29 Working Party) presented and explained the key points and considerations of such opinion.
In accordance with Article 30 of Directive 95/46/EC, the Working Group presented their common opinion on this fundamental matter in two separate documents, an opinion and a document containing the essential guarantees WP29 considers fundamental for the compliance of European Data Protection Law by the proposed EU-US Privacy Shield.
The legal background for WP29 opinion is based on current legislation of data protection, the fundamental right to a private life -as stated on article 8 of the European Convention on Human Rights- the right to the protection of personal data -as stated on article 8 of the Charter of Fundamental Rights of the European Union- and, of course, the Schrems Judgement.
WP29 admitted at the very beginning of the press conference that their posture is a “demanding” one, as long as it has been strictly performed taken into consideration the number of people that could possibly be affected by these data transfers.
WP29’s conclusions can be summarized as follows:
- As it currently stands, the EU-US Privacy Shield is rather difficult to understand (even for the WP29!) as it integrates a number of documents and annexes that are not necessarily consistent between them.
- Regarding the commercial aspects, WP29 considers that there have been important improvements, for example regarding the definition of the rights at stake, the fact that the question of surveillance is dealt with (although, according to WP29, not enough) and the fact that it would promote transparency. However, WP29 considered that key data protection principles are not reflected. For example, the purpose limitation principle is unclear as the data would remain open for reuse for rather large purposes; the data retention principle is not expressly mentioned and results also difficult to derive from the other principles and the recourses seem numerous and complex for the individuals. Regarding this last point, WP29 considers that DPAs should remain the fundamental point of contact for individuals. WP29 also considers that the EU-US Privacy Shield should integrate a revision clause in order to address the challenges that the coming into force of the General Data Protection Regulation will pose regarding the EU-US Privacy Shield.
- Regarding national security, WP29 considers that both the European Court of Human Rights and the European Court of Justice should assess the level of protection of the new scheme attending to a “European Standard for Surveillance” that should be enforced both in the USA and Europe. Such a standard would commit both parties to the respect of four essential guarantees: 1) clear, precise and accessible rules; 2) adherence to the principles of necessity and proportionality; 3) the establishment of an independent oversight mechanism; and, 4) effective remedies before an independent body. In sum, regarding public security and although WP29 acknowledges concerns regarding the fight against terrorism, it is concerned with the fact that the current EU-US Privacy Shield leaves open the possibility for bulk collection of personal data. Secondly, and although WP29 views the establishment of the Ombudsperson as a great progress, it remains concerned regarding its powers and independence.
WP29 finalized indicating that although the EU-US Privacy Shield constitutes a major improvement compared to the Safe Harbor Agreement, it is urgent for the Commission to resolve the above concerns and request clarifications to improve the new scheme’s mechanisms and make sure that it is adequate to European standards.
Two answers from Mrs. Falque-Pierrotin result especially meaningful and somehow illustrate the road ahead. When asked about what would happen if the Commission decided to adopt the EU-US Privacy Shield as it is, Mrs. Falque-Pierrotin replayed with what I consider a very meaningful “nobody knows”. Afterwards and upon being asked about the next steps for WP29 and if taking the decision to the European Court of Justice would be an option, she indicated that “you can’t prevent anyone to go to Court”. Regarding the question of whether no EU-US Privacy Shield was better that this EU-US Privacy Shield, Mrs. Falque-Pierrotin refused to reply saying that that is a political question outside the realm of WP29.
Article 29 Working Party was set up under Directive 95/46/EC. It has an advisory status and acts independently in order to provide the Commission with advise on any proposed amendments to the Directive and on other measures intended to safeguard the rights and freedoms of natural persons on what regards to the processing of their personal data.
Over the years since its creation, Article 29 Working Party has provided the Commission and other interested parties with opinions and recommendations on a wide variety of data protection related subjects, some of which have been essential for the development of the right to the protection of personal data as established in article 8 of the Charter of Fundamental Rights of the European Union.
Article 29 Working Party’s Statement on the implementation of the judgement of the Court of Justice of the European Union of 6 October 2015 in the Maximilian Schrems v. Data Protection Commissioner case (C-362/14) of October 16th 2015, constitutes an example of the above as it highlights the need for a “robust, collective and common position on the implementation of the judgement”. Judgment that, as we all know, created the need to replace the Safe Harbor Agreement by an adequacy decision that would sufficiently guarantee the right to the protection of personal data regarding data transfers from Europe into the United States.
Other opinions on the EU-US-Privacy-Shield
Besides the Article 29 Working Party several reactions have been heard and read across Europe regarding this landmark development. Some of these reactions can be read as a more or less accurate “thermometer” as of how welcome or unwelcome this initiative will be from the point of view of the principal players involved.
Digital Europe, “the voice of the digital sector in Europe” declared their strong support towards the “prompt adoption” of the EU-US Privacy Shield adequacy decision” in an open letter dated April 11th 2016. After making some references about the negative economic “shock” that the legal uncertainty created by the invalidation of the Safe Harbor Agreement by the Court of Justice of the EU, Digital Europe indicated that such legal uncertainty must be stopped by the prompt adoption of the EU/US Privacy Shield which according to a legal analysis performed by Hogan Lovells -which they enclosed to their open letter- is not only more demanding on companies but would go beyond the requirements of the General Data Protection Regulation that will come into force in 2018.
At the same time, John Frank, Vice President of Government Affairs at Microsoft, referred to the EU-US Privacy Shield as an “effective framework that should be approved” in a blog post published on April 11th. Mr. Frank goes on to say that although no single legal instrument could address privacy issues on both sides of the Atlantic for all time, the Privacy Shield “provides a strong foundation on which to build”. Microsoft welcomes -according to this statement- the obligations created by the Privacy Shield, will respond to individual complaints within 45 days and will cooperate with national DPAs and comply with their advice. Interestingly, Mr. Frank refers also to Microsoft’s commitment with the respect of the right to privacy and how this company has challenged the US government regarding their demands for data in the past.
It is clear at this point that every stake holder will fuel their own cause. It has also been clear for years that Article 29 Working Group is and has been committed to the production of sound legal opinions and recommendations aimed at the protection of the right to a private life as stated by article 8 of the European Convention on Human Rights and the right to the protection of personal data as stated on article 8 of the Charter of Fundamental Rights of the European Union. We will wait then, until they have reached a consensus about the proposed EU-US Privacy Shield, that, although not binding for the Commission, should constitute a fundamental part of any future discussion regarding this challenging matter.