Disclosure of documents subject to implied undertakings
Following on from our blogs of 9 February and 15 March (see here and here), the Article 29 Working Party has set out its assessment of the EU-US Privacy Shield. That assessment can be summarised as “Better…but not good enough”.
The Article 29 Working Party (WP29) has welcomed the “significant improvements” brought by the Privacy Shield as compared to the Safe Harbour but at the same time expressed its “strong concerns” about areas of the European Commission’s draft adequacy decision and related documents. One set of concerns is in relation to what WP29 categorises as “commercial aspects”. Here the concerns include: whether the purpose limitation principle and the data retention principle (principles 2 and 7 in Schedule 1 of the Data Protection Act 1998) are properly reflected in the Privacy Shield; the lack of protection for data transferred to third countries from US recipients under the Privacy Shield; and, whether the new redress mechanism is in practice likely to be helpful to data subjects. The second set of concerns arises out of the potential for wholesale and indiscriminate collection of data by US Government bodies.
WP29 has urged the European Commission to address the concerns that it has raised and to improve the Privacy Shield to provide protection equivalent to that available in the EU. WP29 has not said what it will do if the Commission fails to achieve this but even if it does not make any further statement, what has been said now will be powerful ammunition for anyone who may seeks to challenge the Privacy Shield in a follow on from the Safe Harbour litigation. WP29 has said that the Privacy Shield will in any event need to be reviewed in 2018 to take account of the higher level of data protection that will then be in force under the General Data Protection Regulation (GDPR) (which was approved by the European Parliament on 14 April 2016).
The Commission now finds itself in a difficult position. The WP29’s opinion draws on the clear jurisprudence of the Court of Justice of the European Union and the European Court of Human Rights. The case law of both courts confirms for example that EU citizens must have access to effective remedies to vindicate their rights under EU law. The proposed redress mechanism under Privacy Shield – through, in part, the US Ombudsmen – is likely to be too complex and difficult to use, thus meaning in practice that EU individuals will not enjoy the enhanced protections nominally offered by Privacy Shield. The Commission has however already spent a great deal of time negotiating an intricate international agreement with the USA. One queries whether the Commission would be willing to substantially re-start these negotiations especially so since the US government and legislature have already started to act on the Privacy Shield provisions.
What should organisations do now?
The WP29 reinforces the need for organisations to be cautious in anticipating that they will be able to rely on the Privacy Shield. It may prove only to be a medium-term fix until a more comprehensive agreement can be reached come 2018 when the GDPR comes into force. Organisations will, for now, have to rely on existing data transfer mechanisms (such as binding corporate rules) to transfer data from the EU to the US.
Skip to content Home About Us Insights Services Contact Accessibility