June 30, 2022

Volume XII, Number 181

Advertisement
Advertisement

June 29, 2022

Subscribe to Latest Legal News and Analysis

June 28, 2022

Subscribe to Latest Legal News and Analysis

June 27, 2022

Subscribe to Latest Legal News and Analysis
Advertisement

Article 29 Working Party has “Strong Concerns” About Privacy Shield

On Wednesday, the EU’s Article 29 Working Party issued its much-anticipated statement on the viability of the proposed EU-US Privacy Shield. As we’ve detailed previously, EU and US officials reached agreement on the Privacy Shield arrangement, which was meant to serve as a replacement for the invalidated Safe Harbor program, back in February, and released details of the Privacy Shield scheme a few weeks later. Observers then began eagerly awaiting the Article 29 Working Party’s opinion on the Privacy Shield, because even though the group’s opinion is not binding on the European Commission – which is responsible for shepherding the Privacy Shield through the approval and adoption process – it nevertheless may prove influential as that process moves forward.

The Working Party’s statement begins by recognizing the “significant improvements brought by the Privacy Shield compared to the Safe Harbor” program, but nevertheless goes on to cite “strong concerns” about the security of the data that would be transferred under the Privacy Shield. More specifically, the Working Party believes that the Privacy Shield does not adequately address a number of data protection principles enshrined in EU law, such as purpose limitation (the requirement that personal data be processed for a specific purpose, and that additional processing be carried out in line with this purpose), data retention, and protection of data subjects from automated decisionmaking. Moreover, the statement claims that it may be too difficult for Europeans to resort to recourse mechanisms in the US if they feel their personal data has been misused.  This last part of the statement may prove to be a major hurdle going forward, as granting Europeans the right to pursue such recourse was a cornerstone of the US approach to addressing EU data security concerns and, as such, facilitated the negotiations that ultimately led to the Privacy Shield agreement. Along those same lines, the statement evinces some skepticism that the Ombudsperson contemplated by the Privacy Shield as a recourse mechanism may not be sufficiently independent, as the Ombudsperson will work within the US Department of State. Perhaps unsurprisingly, the Working Party also is concerned that the Privacy Shield does not adequately foreclose the possibility of “massive and indiscriminate collection of personal data” exported to the US from the EU.

The statement also echoes the complaints of some practitioners in noting that that the Privacy Shield currently suffers from a “lack of clarity” owing to the fact that the details pertaining to the program are contained in a series of documents, thus making some of those details difficult to find. The Working Party further states that the Privacy Shield will have to be reviewed again in 2018, after the General Data Protection Regulation (GDPR) becomes law, in order to ensure that the Privacy Shield complies with the new privacy regime.

The Working Party’s concerns, as voiced in its statement, serve to underscore the likelihood that the Privacy Shield will face legal challenges even if it is finalized and implemented in the coming months. Companies that need to engage in cross-Atlantic data transfers should consider adopting standard contractual clauses or binding corporate rules to legitimize those transfers, as the Privacy Shield may not be a reliable means of legally exporting data out of the EU for some time, if ever.

© 2022 Proskauer Rose LLP. National Law Review, Volume VI, Number 106
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Courtney M Bowman, Litigation Attorney, Proskauer, Law Firm
Associate

Courtney Bowman is an associate in the Litigation Department. She assists clients in a wide variety of industries with issues related to privacy, data security and general commercial litigation. Courtney has helped clients develop and implement global privacy programs, has assisted clients in legalizing cross-border data transfers and regularly collaborates with her colleagues in Proskauer’s international offices, as well as local counsel, to counsel clients on compliance with data protection laws and regulations in the EU, including becoming compliant with the General...

310-284-4584
Advertisement
Advertisement
Advertisement