- Integrate All Main Data Protection Principles. The EDPS took issue with the Commission’s belief that the draft decision as written ensures that the Privacy Shield provides data protections that are “essentially equivalent” to those under EU’s Data Protection Directive (Directive). Instead, the Opinion called for the U.S. and the EU to clarify the application of several principles and their exceptions – including protections relating to data retention, automated processing, and purpose limitation – as well as the provisions concerning onward transfers, rights of access to data and rights to object.
- Limit Derogations. An additional concern for the EDPS is that, under the draft adequacy decision, the application of Privacy Shield’s principles can be limited for national security, law enforcement, or public interest requirements, as well as when the principles conflict with applicable statutes, regulations, or case law. According to the EDPS, the Privacy Shield should be more precise about the when and under what legal bases exceptions are allowed, and called for greater clarification on the U.S. government’s ability to access and use personal data for national security purposes.
- Improve Redress and Oversight Mechanisms. The EDPS also called for greater development of the U.S. Ombudsman’s role to ensure its independence not only from the U.S. intelligence community but “also from any other authority,” and that the Commission seeks specific commitments from the U.S. that the Ombudsman’s requests, decisions, and recommendations will be respected and implemented by all applicable U.S. agencies.
The EDPS also encouraged the Commission to consider involving EU representatives in the assessment of the oversight mechanisms regarding processing of personal data from the EU by U.S. authorities, and that U.S. authorities notify EU representatives when processing unspecified categories of data that raise fundamental rights concerns.Additional Recommendations to Enhance the Privacy Shield. Beyond the primary recommendations above, the EDPS offered the following suggestions to improve the Privacy Shield:
- Commercial Purpose Provisions. Looking at the Privacy Shield’s overriding purpose – facilitating trans-Atlantic commercial data transfers in line with EU law – the EDPS recommended that the Commission more clearly detail the framework’s data minimization and data retention provisions, add measures to safeguard individuals’ legitimate interests when subject to a decision based on automated processing, and clarify potential inconsistencies in the purpose limitation principle. The EDPS also suggested that the Commission limit the range of exceptions to the Privacy Shield’s principles, encourage U.S. regulators to effectively monitor companies’ compliance with the Privacy Shield, and recommended companies participating in the Privacy Shield voluntarily subject themselves to supervision by European data protection authorities (DPAs).
- U.S. Authorities’ Access to Data. Claiming that the Commission’s draft adequacy decision does not fully consider the rights of EU citizens to access, rectify, or erase data collected or accessed by authorities for non-national security purposes, the EDPS called for additional, unspecified safeguards for independent supervision and redress where data is accessed for law enforcement and other public interest purposes.
- Assess Impact of Relevant Statutes and Rules. The data protection supervisor also recommended that the Commission assess U.S. federal and state laws and international commitments that may interfere with the Privacy Shield’s principles and thus impact the protection of personal data.
- Conduct Meaningful Reviews. The Opinion also advised that the routine review of the Privacy Shield’s function should include on-the-spot verifications, applicable to both commercial transfers and the U.S. government’s access to transferred data.
- Account for GDPR. Finally, recognizing that the General Data Protection Regulation (GDPR) will replace the Directive in May 2018, the EDPS advised that the draft adequacy decision should consider parts of the GDPR that are not currently part of the EU’s data protection laws, such as privacy by design, privacy by default, and the data portability principles. According to the EDPS, considering these provisions as part of the Privacy Shield now will ensure long-term consistency in the protection of personal data.