January 31, 2023

Volume XIII, Number 31


January 30, 2023

Subscribe to Latest Legal News and Analysis

Article 29 Working Party Expresses Concerns About EU-US Privacy Shield

European Commission may need to revise the draft proposal to meet the concerns expressed by the Article 29 Working Party.

As we reported previously (European Commission Releases Details of New EU-US Privacy Shield), on February 29, 2016, the European Commission published a draft adequacy decision to establish the EU-US Privacy Shield, the replacement for the invalidated Safe Harbor program that previously allowed  transfers of personal data between the European Union and certified organizations in the United States.

The publication of the draft adequacy decision was initially welcomed by the Article 29 Working Party, which advises the European Commission on data protection matters. Following a review of the documentation, the Article 29 Working Party has given its opinion on the draft EU-US Privacy Shield and expressed significant concerns that the draft proposal does not give enough protection to European citizens because “. . .massive and indiscriminate data collection is not fully excluded by the US authorities and. . .the powers and position of the Ombudsman have not been set out in more detail.” The Article 29 Working Party is concerned that a number of important data protection principles have not been expressly incorporated within the EU-US Privacy Shield, including the data protection limitation and purpose limitation principles. The Article 29 Working Party also identifies that there is no mechanism for updating the EU-US Privacy Shield once the General Data Protection Regulation comes into force, which is now likely to be mid-2018.

The Article 29 Working Party has not, however, rejected the proposal, but has instead requested that the European Commission clarifies the drafting of the proposal and resolves the outstanding concerns about adequately protecting personal data. Isabelle Falque-Pierrotin, chair of the Article 29 Working Party and head of France’s data protection authority, CNIL, recognized during a press conference that the EU-US Privacy Shield was a “great step forward” compared to the previous Safe Harbor program.

Next Steps

The European Commission is not bound by the Article 29 Working Party’s opinion and could still, therefore, formally adopt the draft adequacy decision notwithstanding the Article 29 Working Party’s concerns. A more likely outcome is that the European Commission will now revise its decision in order to address the Article 29 Working Party’s concerns. If so, this is likely to require further negotiations with the US authorities. Accordingly, it seems unlikely that the EU-US Privacy Shield will be adopted in June 2016 as originally anticipated.

In the meantime, companies should continue to rely on the Standard Contractual Clauses and Binding Corporate Rules for their EU-US data transfers.

Copyright © 2023 by Morgan, Lewis & Bockius LLP. All Rights Reserved.National Law Review, Volume VI, Number 105

About this Author

Pulina Whitaker, Morgan Lewis, labor and employment lawyer

Pulina Whitaker’s practice encompasses both labor and employment matters as well as data privacy and cybersecurity. She manages employment and data privacy issues in sales and acquisitions, commercial outsourcings, and restructurings. Pulina provides day-to-day advisory support for multinationals on all employment issues, including the UK’s Modern Slavery Act and gender pay reporting requirements. She also advises on the full spectrum of data privacy issues, including preparing for the General Data Protection Regulation. Pulina has deep experience managing international...

Gregory Parks, privacy and cybersecurity lawyer, Morgan Lewis

Gregory T. Parks counsels and defends retail companies and other consumer facing clients in matters related to privacy and cybersecurity, class actions and Attorney General actions, consumer protection laws, loyalty and gift card programs, retail operations, payment mechanisms, product liability, waste management, shoplifting prevention, compliance, antitrust, and commercial disputes. If it is important to a retail company, Greg makes it his business to know it. He handles all phases of litigation, trial, and appeal work arising from these and other areas. Greg is the co...

Mark Krotoski, Litigation attorney, Morgan Lewis

Mark L. Krotoski represents and advises clients on antitrust cartel investigations; cybersecurity and privacy matters; trade secret, economic espionage, fraud, and foreign corrupt practices cases; and government investigations. With nearly 20 years of experience as a federal prosecutor and a leader in the US Department of Justice (DOJ), Mark provides clients with a unique blend of litigation and investigative experience. He has tried 20 cases to verdict and successfully argued appeals before the US Court of Appeals for the Ninth and Sixth Circuits.

Dr. Axel Spies, Telecommunications and technology lawyer, Morgan Lewis
Special Legal Consultant

Dr. Axel Spies has advised clients for many years on various international issues, including licensing, competition, corporate issues, and new technologies such as cloud computing. He counsels on international data protection (EU General Data Protection Regulation), international data transfers (Privacy Shield), healthcare, technology licensing, e-discovery, and equity purchases. A member of the Sedona Conference on Electronic Discovery, Dr. Spies is frequently quoted in the media for his telecommunications and privacy knowledge.

Lee Harding, employment and cybersecurity attorney, Morgan Lewis

Lee Harding advises on employment and cybersecurity matters across a variety of sectors, with an emphasis in the financial services and technology industries, including FinTech. Lee regularly counsels clients in high-stakes crisis litigation and investigations, including in relation to complex disciplinary matters, cybersecurity breaches, class actions, and cases before the High Court of Justice in London that involve business competition issues. Lee’s practice also focuses on the cross-over between employment and regulatory issues under the UK’s Senior Managers and...