It is more and more unlikely that the European Commission will adopt the Privacy Shield next months. This means that U.S. multinationals will continue to scramble for solutions to legally transfer data from Europe to the U.S.
Like the Article 29 Working Party, the European Data Protection Supervisor (EDPS), raised fundamental concerns about the quality of the the draft EU-U.S. Privacy Shield Adequacy Decision (Privacy Shield). Neither of the opinions are binding for the European Commission but there is no doubt that these opinions are influential.
The EDPS, Giovanni Buttarelli, issued his opinion saying that the current draft of the Privacy Shield requires “significant improvements” in order to provide for a stable and future proof data transfer arrangement. The EDPS considers that there is still a lot of work to be done to bridge the gap between the US and the European data protection standards.
For the Privacy Shield to be effective, it must provide adequate protection against mass surveillance and ensure robust redress and data protection mechanisms. The EDPS suggests that the Privacy Shield should include all main EU data protection principles. The EDPS puts particular emphasis on the data minimisation and data retention principles which currently do not feature in the draft Privacy Shield. The provisions around the right to access and the right to object should, according to Mr. Buttarelli, also be enhanced.
Giovanni Buttarelli, EDPS, said:
“I appreciate the efforts made to develop a solution to replace Safe Harbour but the Privacy Shield as it stands is not robust enough to withstand future legal scrutiny before the Court. Significant improvements are needed should the European Commission wish to adopt an adequacy decision, to respect the essence of key data protection principles with particular regard to necessity, proportionality and redress mechanisms. Moreover, it’s time to develop a longer term solution in the transatlantic dialogue”.
In doing so, the negotiating parties should take into account the new General Data Protection Regulation (GDPR) which will come into force across the EU in May 2018.
The European Commission can choose to ignore this opinion or address the concerns and seek to renegotiate the proposal. Once the European Commission adopts a decision, it is binding and can only be challenged by the European Court of Justice.
Why is the European Commission adopting the Privacy Shield?
The Council and the European Parliament have given the Commission the power to determine whether a third country ensures an adequate level of data protection by reason of its domestic law or of the international commitments it has entered into. This is based on Article 25 (6) of the Privacy Directive.
What is the Privacy Shield?
In October 2015, the European Court of Justice ruled that the Safe Harbour framework was invalid because it did not provide a sufficient level of data protection for personal data transferred by companies from the EU to the U.S. as required by EU law. In February 2016, the EU-U.S. Privacy Shield was announced by the European Commission and the U.S. Department of Commerce as a replacement for Safe Harbour. The EU-U.S. Umbrella Agreement covers data transfers across the Atlantic for law enforcement purposes while the EU-U.S. Privacy Shield covers data exchange for commercial purposes.
What is the function of the European Data Protection Supervisor?
The European Data Protection Supervisor is the independent supervisory authority at EU level with responsibility for:
– monitoring the processing of personal data by the EU institutions and bodies
– advising on policies and legislation that affect privacy
– cooperating with similar authorities to ensure consistent data protection.