At its 113thÂ plenary meeting held on Nov. 28, 2017, in Brussels, the Article 29 Data Protection Working Party adoptedÂ itsÂ EU-U.S. Privacy Shield Report, which renders an opinion on the annual review of Privacy Shield recently conducted by the European Commission and the U.S. Department of Commerce. The WP29â€™s report articulates a set of concerns regarding both the commercial aspects of the Privacy Shield as well as U.S. surveillance laws regarding access to data for law enforcement and national security purposes. ItÂ also offers up what the WP29 would like to see in terms of remedies and some deadlines for their implementation.Â
Should these remedies not be addressed, the report makes clear WP29 will take legal action.
Perhaps it’s not surprising, given the many guidance documents the body creates for EU data protection compliance, butÂ WP29 has expressed concern about the lack of â€œclear guidanceâ€� provided by the Department of CommerceÂ and the Federal Trade CommissionÂ to companies adhering to the Privacy Shield. Historically, both U.S. agencies have eschewed â€œoverly prescriptive toolsâ€� in favor of a case-by-case analysis of compliance.
To adhere to the recommendations outlined in the WP29â€™s report, the DoC and FTC would need to provide companies with more precise guidance on the application of the Choice Principle, the Notice Principle, and onward transfers (at a minimum), as well as provide EU individuals with more information â€œregarding their rights and available recourses and remediesâ€� under U.S. law. WP29 would also like U.S. authorities to provide clearer information to U.S. data processors that contract with EU data controllers, which is cognizant of the differences between the responsibilities of data processors and data controllers under the GDPR.
Another concern of WP29 is the difference between EU and U.S. authoritiesâ€™ reading of the term â€œHR data.â€� This is an important term to define because the processing of â€œHR dataâ€� benefits from additional safeguards in the Shield framework, including being under the supervision of an informal panel of EU DPAs. However, currently, EU employee data that is transferred to a Privacy Shield-certified organization in the U.S. is not treated as HR data but as commercial data.Â
Essentially, the WP29 is of the opinion that â€œany data concerning an employee in the context of an employer-employee relationshipâ€� should only be transferred under the Privacy Shield if the receiving company has an active HR data certification.
The WP29 would like this situation to change. Essentially, the WP29 is of the opinion that â€œany data concerning an employee in the context of an employer-employee relationshipâ€� should only be transferred under the Privacy Shield if the receiving company has an active HR data certification.
A third concern is rooted in the fact that the Privacy Shield is a self-certification system. Making the argument that such a system leaves companiesâ€™ obligations unchecked, WP29 would like U.S. authorities to â€œdevote sufficient resources at oversight and enforcement activities of the certified companies after the actual certification.â€� For example, it calls for â€œincreased controlâ€� by the DoC over companies providing Independent Recourse Mechanisms. It also requests that the FTC or Department of TransportationÂ perform periodic â€œsweepsâ€� or â€œcompliance reviewsâ€� of Privacy Shield-certification organizations to a priori identify non-compliant ones, rather than only doing so upon suspicion of a breach.
Another concern involves automated-decision making and profiling. Directing a suggestion at the European Commission, the WP29 called for it to â€œcontemplate the possibility to provide for specific rules concerning automated decision making.â€� These could include, for example, the right to know the logic(s) involved and the right to request reconsideration of a decision on a non-automated basis.Â
With respect to managing the recertification process, the WP29 also invited changes to the one-month deadline from the time a companyâ€™s certification expires to the time it is referred to the FTC. The aim of these changes would be to ensure that no recertification gapâ€”whereby a companyâ€™s certification status can be indicated as active on the DoC list for up to 30 days after its expiryâ€”would occur.
Lastly, regarding access to data for law enforcement and national security purposes, the WP29 proposed May 25, 2018, as a deadline for U.S. authorities to appoint an Ombudsperson, clarify its powers, and appoint new members to the vacancies on the Privacy and Civil Liberties Oversight Board. By the time of the second joint review of the EU-U.S. Privacy Shield (September 2018), WP29 also requests evidence from U.S. authorities to substantiate their assertions about certain aspects of section 702 of FISA. If section 702 FISA were to be re-authorized, the WP29 calls for amendments to it that would â€œprovide for precise targeting, along with the use of the criteria such as that of â€˜reasonable suspicionâ€™, to determine whether an individual or a group should be a target of surveillance.â€�
If these concerns are not addressed, WP29 signaled it would bring the Privacy Shield adequacy decision to EU national courts so that a reference can be made to the CJEU for a preliminary ruling.