EU Data Supervisor: Privacy Shield Needs “Robust Improvements”

The push for the European Union and the United States to reopen negotiations over the EU-U.S. Privacy Shield may have just become a shove, due to a recent opinion released by the European Data Protection Supervisor (EDPS) assessing the data protections offered and recommending a series of substantial changes to the new data transfer framework.

On May 30, the EDPS released its Opinion on the EU-U.S. Privacy Shield Draft Adequacy Decision (Opinion). The EDPS’ Opinion follows the European Parliament’s recent resolution and the EU’s Article 29 Working Party (WP29) opinion on the Privacy Shield, in which both bodies expressed their misgivings about the data transfer framework’s ability to protect EU citizens’ personal data in accordance with EU law.

In its Opinion the EDPS echoed many of the same sentiments and concerns expressed by the Parliament and the WP29, noting that the European Commission’s draft adequacy decision is an improvement over the U.S.-EU Safe Harbor Framework, which was invalidated by the Court of Justice for the European Union last October. But the EDPS cautioned that “progress compared to the earlier Safe Harbor … is not itself sufficient.” Instead, the Privacy Shield “as currently designed does not adequately include … all appropriate safeguards” to protect EU citizens’ privacy and data protection rights, and that “robust improvements are needed” to achieve a long-lasting and solid data transfer framework, according to the EDPS.

Primary Recommendations.

The EDPS offered the following recommendations to strengthen the Privacy Shield before the Commission issues its final adequacy decision:

• Integrate All Main Data Protection Principles. The EDPS took issue with the Commission’s belief that the draft decision as written ensures that the Privacy Shield provides data protections that are “essentially equivalent” to those under EU’s Data Protection Directive (Directive). Instead, the Opinion called for the U.S. and the EU to clarify the application of several principles and their exceptions – including protections relating to data retention, automated processing, and purpose limitation – as well as the provisions concerning onward transfers, rights of access to data and rights to object.
• Limit Derogations. An additional concern for the EDPS is that, under the draft adequacy decision, the application of Privacy Shield’s principles can be limited for national security, law enforcement, or public interest requirements, as well as when the principles conflict with applicable statutes, regulations, or case law. According to the EDPS, the Privacy Shield should be more precise about the when and under what legal bases exceptions are allowed, and called for greater clarification on the U.S. government’s ability to access and use personal data for national security purposes.
• Improve Redress and Oversight Mechanisms. The EDPS also called for greater development of the U.S. Ombudsman’s role to ensure its independence not only from the U.S. intelligence community but “also from any other authority,” and that the Commission seeks specific commitments from the U.S. that the Ombudsman’s requests, decisions, and recommendations will be respected and implemented by all applicable U.S. agencies.

The EDPS also encouraged the Commission to consider involving EU representatives in the assessment of the oversight mechanisms regarding processing of personal data from the EU by U.S. authorities, and that U.S. authorities notify EU representatives when processing unspecified categories of data that raise fundamental rights concerns.

Additional Recommendations to Enhance the Privacy Shield

Beyond the primary recommendations above, the EDPS offered the following suggestions to improve the Privacy Shield:

• Commercial Purpose Provisions. Looking at the Privacy Shield’s overriding purpose – facilitating trans-Atlantic commercial data transfers in line with EU law – the EDPS recommended that the Commission more clearly detail the framework’s data minimization and data retention provisions, add measures to safeguard individuals’ legitimate interests when subject to a decision based on automated processing, and clarify potential inconsistencies in the purpose limitation principle. The EDPS also suggested that the Commission limit the range of exceptions to the Privacy Shield’s principles, encourage U.S. regulators to effectively monitor companies’ compliance with the Privacy Shield, and recommended companies participating in the Privacy Shield voluntarily subject themselves to supervision by European data protection authorities (DPAs).
• U.S. Authorities’ Access to Data. Claiming that the Commission’s draft adequacy decision does not fully consider the rights of EU citizens to access, rectify, or erase data collected or accessed by authorities for non-national security purposes, the EDPS called for additional, unspecified safeguards for independent supervision and redress where data is accessed for law enforcement and other public interest purposes.
• Assess Impact of Relevant Statutes and Rules. The data protection supervisor also recommended that the Commission assess U.S. federal and state laws and international commitments that may interfere with the Privacy Shield’s principles and thus impact the protection of personal data.
• Conduct Meaningful Reviews. The Opinion also advised that the routine review of the Privacy Shield’s function should include on-the-spot verifications, applicable to both commercial transfers and the U.S. government’s access to transferred data.
• Account for GDPR. Finally, recognizing that the General Data Protection Regulation (GDPR) will replace the Directive in May 2018, the EDPS advised that the draft adequacy decision should consider parts of the GDPR that are not currently part of the EU’s data protection laws, such as privacy by design, privacy by default, and the data portability principles. According to the EDPS, considering these provisions as part of the Privacy Shield now will ensure long-term consistency in the protection of personal data.

What does the EDPS Opinion Mean for the Privacy Shield?

Like the European Parliament’s and the WP29’s recent assessments of the Privacy Shield, the EDPS’ Opinion is advisory only and non-binding, meaning that the Commission does not have to incorporate its recommendations into its final adequacy decision on the Privacy Shield. Yet the EDPS’ concerns are the latest in a series of pronouncements from European authorities questioning the Privacy Shield’s compliance with EU data protection laws, and the new data transfer pact’s ability to withstand scrutiny from the CJEU unless substantive changes are made. Combined with the Article 31 Committee’s recent call for more time to weigh the Privacy Shield’s provisions, the EDPS’ Opinion may make it inevitable that European and American negotiators sit down once again to beef up the Privacy Shield and to guard against a later invalidation by the CJEU.

Time will tell if negotiators will choose to tweak the Privacy Shield or leave it as-is, but the reluctance by some European authorities to sign-off on the new framework could forestall any real momentum to get it up and running with minimal revisions. If the Commission does reopen negotiations, the number and length of changes sought by the WP29, the European Parliament, and now the EDPS may prove problematic for those hoping for swift resolution and finalization of the Privacy Shield.