The Privacy Shield framework is key to allowing personal data to flow legally across the Atlantic from the EU to the US. As we’ve noted several times this year, there are a number of reasons to think that the EU’s highest court, the Court of Justice of the European Union (CJEU), could reject Privacy Shield just as it threw out its predecessor, the Safe Harbor agreement. An obscure but influential advisory group of EU data protection officials has just issued its first annual review of Privacy Shield (pdf). Despite its polite, bureaucratic language, it’s clear that the privacy experts are not happy with the lack of progress in dealing with problems pointed out by them previously. As the “Article 29 Data Protection Working Party” — the WP29 for short — explains:
Based on the concerns elaborated in its previous opinions … the WP29 focused on the assessment of both the commercial aspects of the Privacy Shield and on the government access to personal data transferred from the EU for the purposes of Law Enforcement and National Security, including the legal remedies available to EU citizens. The WP29, assessed whether these concerns have been solved and also whether the safeguards provided under the EU-U.S. Privacy Shield are workable and effective.
As far as the commercial aspects of Privacy Shield are concerned, the WP29 is unhappy about a number of important “unresolved” issues such as “the lack of guidance and clear information on, for example, the principles of the Privacy Shield, on onward transfers [of personal data] and on the rights and available recourse and remedies for data subjects.”
The issue of US government access to the personal data of EU citizens is even thornier. Although the WP29 welcomed efforts by the US government to become more “transparent on their use of their surveillance powers”, the collection of and access to personal data for national security purposes under both section 702 of FISA and Executive Order 12333 were still a problem. On the former, WP29 suggests:
Instead of authorizing surveillance programs, section 702 should provide for precise targeting, along with the use of the criteria such as that of “reasonable suspicion”, to determine whether an individual or a group should be a target of surveillance, subject to stricter
scrutiny of individual targets by an independent authority ex-ante.
As regards the Executive Order 12333, WP29 wants the Privacy and Civil Liberties Oversight Board (PCLOB) “to finish and issue its awaited report on EO 12333 to provide information on the concrete operation of this Executive Order and on its necessity and proportionality with regard to interferences brought to data protection in this context.” That’s likely to be a bit tricky, because the PCLOB is understaffed due to unfilled vacancies, and possibly moribund. In conclusion, the WP29 “acknowledges the progress of the Privacy Shield in comparison with the invalidated Safe Harbor Decision”, but underlines that the EU group has “identified a number of significant concerns that need to be addressed by both the [European] Commission and the U.S. authorities.” It spells out what will happen if they aren’t sorted out:
In case no remedy is brought to the concerns of the WP29 in the given time frames, the members of WP29 will take appropriate action, including bringing the Privacy Shield Adequacy decision to national courts for them to make a reference to the CJEU for a preliminary ruling.
That is, it will ask the EU’s highest court to rule on the so-called “adequacy decision” of the European Commission, where it decided that Privacy Shield offered enough protection for EU personal data moving to the US. There’s a clear implication that WP29 doubts the CJEU’s ruling will be favorable unless all the changes it has requested are made soon. And without the Privacy Shield framework, it will be much harder to transfer personal data legally across the Atlantic. Moreover, the EU’s data protection laws are about to become even more stringent next year, when the new General Data Protection Regulation (GDPR) is enforced. Organizations in breach of the GDPR can be fined up to 4% of annual global turnover, which means even the biggest Internet companies will have a strong incentive to comply.