EU, US Must Repair Faulty Privacy Shield or Face Legal Action, Say Data Protection Chiefs
Privacy Shield still has significant problems that, if not quickly fixed, could lead to legal action, said the Article 29 Data Protection Working Party (WP29) in its inaugural review. The opinion on efficacy of the trans-Atlantic personal data flow agreement listed unresolved issues for the commercial aspects and access to personal data by U.S. surveillance agencies. The European Commission said it's working with the U.S. administration to address the concerns.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
WP29 representatives said PS is an improvement over the failed safe harbor agreement, but concerns remain. Among them is lack of guidance and information for companies that sign on. No clear information is easily available for EU residents on their rights and recourses. Another problem lies in the interpretation of the concept of human resources data, the WP29 said: The Department of Commerce takes the position that data of an EU company's employees transferred to a PS-certified processor in the U.S. is commercial data that falls outside the pact's protections for "HR data," while data protection authorities believe HR data is "any personal data concerning an employee in the context of an employer-employee relationship."
Because PS is a self-certification arrangement, it's incumbent on U.S. officials to maintain strong oversight and enforcement over participating companies, said the group. Instead, the WP29 said, oversight mainly relies on the businesses providing independent recourse mechanisms. The agreement's framework requires that Commerce conduct periodic compliance reviews, which haven't happened yet, it said. There has also been no "sweep" of Privacy Shield companies by the FTC, it said.
On access to data for law enforcement and national security purposes, the WP29 noted the U.S. government became more transparent about the use of its surveillance powers and that surveillance laws are evolving. During the review, the U.S. officials said no bulk collection would take place outside that country and collection of data in that context could be based on only the Foreign Intelligence Surveillance Act and statutes on national security letters. Officials confirmed that only data of specific targets could be collected and the definition of "targets" was subject to various internal checks and compliance with criteria approved by the FISA court.
The imminent decision to reauthorize Section 702 of FISA before year's end is "an important opportunity to include additional safeguards," such as enshrining the protections for non-U.S. persons contained in presidential policy directive 28 (PPD-28), and providing for precise targeting together with the use of criteria such as "reasonable suspicion," the WP29 said. It said the U.S. offered no further information on how it's interpreting PPD-28. WP29 repeated complaints that the Privacy and Civil Liberties Oversight Board still has only one member, and there's still no permanent PS ombudsman.
The WP29 urged the EC and U.S. "to restart discussions," set up an action plan "immediately," and prioritize the appointment of an independent ombudsman and PCLOB members, and a further explanation of the rules of procedure. If these concerns aren't addressed by May 25, it said, "members of WP29 will take appropriate action, including bringing the Privacy Shield Adequacy decision to national courts for them to make a reference to the [Court of Justice of the EU] for a preliminary ruling."
The report "confirms the relevance of the Commission's recommendations for further improvements," an EC spokesman said. The October EC review (see 1710180001) said "Privacy Shield works well, but there is some room for improving its implementation, including on the functioning of the Ombudsman's office," Justice Commissioner Vera Jourová said then. The EC "has already started the process of working with the US administration to address the concerns," said the spokesman, with letters to Secretary of Commerce Wilbur Ross, Attorney General Jeff Sessions and Secretary of State Rex Tillerson "urging them to do the necessary improvements, including on the ombudsman, as soon as possible," he said.
"Enforcing international privacy frameworks such as Privacy Shield is an integral part of our privacy and data security program," the FTC emailed. "We appreciate the WP29’s recognition of US efforts on Privacy Shield as well as the willingness to engage on the program." The Department of Commerce didn't immediately comment, and NTIA said it refers questions about PS to Commerce.
The review "was delayed significantly as the commission struggled to fit their political decision to say it was working well with its expert view that it was not," said European Digital Rights Executive Director Joe McNamee. Now the EC has made a political decision PS is working, while the WP29 opinion is a "more expert (but still very diplomatic and understated) view," he said. "The long history of competition between law and politics in this policy area continues."