On 12 July 2016, the European Commission adopted the EU-U.S. Privacy Shield adequacy decision. The WP29 welcomes the improvements brought by the Privacy Shield mechanism compared to the Safe Harbour decision. In its Opinion WP238 on the draft EU-U.S. Privacy Shield adequacy decision, the WP29 expressed concerns and asked for various clarifications. The WP29 commends the Commission and the U.S. authorities for having taken them into consideration in the final version of the Privacy Shield documents. However, a number of these concerns remain regarding both the commercial aspects and the access by U.S. public authorities to data transferred from the EU.
Concerning commercial aspects, the WP29 regrets, for instance, the lack of specific rules on automated decisions and of a general right to object. It also remains unclear how the Privacy Shield Principles shall apply to processors.
Concerning access by public authorities to data transferred to the U.S. under the Privacy Shield, the WP29 would have expected stricter guarantees concerning the independence and the powers of the Ombudsperson mechanism. Regarding bulk collection of personal data, the WP29 notes the commitment of the ODNI not to conduct mass and indiscriminate collection of personal data. Nevertheless, it regrets the lack of concrete assurances that such practice does not take place.
The first joint annual review will therefore be a key moment for the robustness and efficiency of the Privacy Shield mechanism to be further assessed. In this regard, the competence of DPAs in the course of the joint review should be clearly defined. In particular, all members of the joint review team shall have the possibility to directly access all the information necessary for the performance of their review, including elements allowing a proper evaluation of the necessity and proportionality of the collection and access to data transferred by public authorities. When participating in the review, the national representatives of the WP29 will not only assess if the remaining issues have been solved but also if the safeguards provided under the EU-U.S. Privacy Shield are workable and effective. The results of the first joint review regarding access by U.S. public authorities to data transferred under the Privacy Shield may also impact transfer tools such as Binding Corporate Rules and Standard Contractual Clauses.
In the meantime, and now that the Privacy Shield has been adopted, with the Schrems judgment and opinion WP238 in mind, the DPAs within the WP29 commit themselves to proactively and independently assist the data subjects with exercising their rights under the Privacy Shield mechanism, in particular when dealing with complaints. The WP29 will soon provide information to data controllers about their obligations under the Shield, comments on the citizens’ guide, suggestions for the composition of the EU centralized body and for the practical organisation of the joint review.