deepagopi2011 - Fotolia

Privacy Shield good to go for at least a year, say EU regulators

Transatlantic data transfer framework approved, but will need more fine-tuning in the first joint review in a year’s time

The Article 29 Working Party (WP29) of European privacy regulators has approved the EU-US Privacy Shield framework for transatlantic data transfers for at least a year.

The approval comes two weeks after the European Commission adopted the framework officially, enabling US businesses to apply for certification under Privacy Shield from 1 August 2016.

While the WP29’s approval gives businesses more certainty, the group’s members still have concerns about several aspects of the framework, which was designed to replace the Safe Harbour agreement after it was declared invalid by the Court of Justice of the European Union (CJEU).

In a statement, the WP29 welcomed the improvements to the Safe Harbour agreement brought by Privacy Shield and commended the EC and US for taking some of its views into consideration in drafting the final version of the new agreement.

However, the regulators said some concerns still remain about both the commercial aspects and the access by US public authorities to data transferred from the EU.

Specifically, the WP29 members are still concerned about the:

  • Lack of specific rules on automated decisions.
  • Lack of a general right to object.
  • Applicability of Privacy Shield to processors.
  • Independence and powers of the ombudsman mechanism.
  • Lack of concrete assurances that bulk data collection does not take place.

“The first joint annual review will therefore be a key moment for the robustness and efficiency of the Privacy Shield mechanism to be further assessed,” the regulators said.

“When participating in the review, the national representatives of the WP29 will not only assess if the remaining issues have been solved, but also if the safeguards provided under the EU-US Privacy Shield are workable and effective.”

The WP29 also warned that the results of the first joint review regarding access by US public authorities to data transferred under Privacy Shield may also affect transfer tools, such as binding corporate rules (BCRs) and standard contractual clauses (SCCs).

In the meantime, the WP29 said its members are committing themselves to assisting data subjects “proactively and independently” with exercising their rights under the Privacy Shield mechanism, particularly when dealing with complaints.

The WP29 said it will soon provide information to data controllers about their obligations under the Shield, comments on the citizens’ guide, suggestions for the composition of the EU centralised body and for the practical organisation of the joint review.

Read more about EU-US Privacy Shield

Eduardo Ustaran, partner and European head of privacy and cyber security at law firm Hogan Lovells, said the WP29 statement means businesses will have to take a view on whether Privacy Shield is robust enough, knowing there is not 100% certainty.

“However, taking everything into account, I think a degree of consensus is likely to build up in favour of Privacy Shield as a valid mechanism for transfers of data to the US,” Ustaran told Computer Weekly.

All in all, the uncertainty about the long-term acceptance of Privacy Shield is set to be prolonged, he said. “But on a positive note, the EU regulators appear willing to work with all the parties involved to make it work,” he added.

Aaron Simpson, partner at law firm Hunton & Williams, said the WP29 statement recognises the good work done by the negotiating parties while emphasising that more work remains to fine-tune that balance.  

“Importantly, the WP29 statement makes it clear that it believes this remaining work can be carried out in the context of the Shield’s novel joint review process, which was included to enable Privacy Shield to be a dynamic framework that evolves over time,” he said.

Although the path forward is “not crystal clear”, said Simpson, given the fact that the alternatives to Privacy Shield face challenges of their own, the WP29 statement should provide the comfort many companies were seeking before committing to the framework.

Read more on Privacy and data protection