In relation to the first annual Joint Review of the EU-U.S. Privacy Shield Framework, the Article 29 Data Protection Working Party (WP29), an independent European advisory body on data protection and privacy, issued its findings on November 28, 2017.

The EU-U.S. Privacy Shield Framework provides a method for companies to transfer personal data to the U.S. from the EU in a way that is consistent with EU Law.  As we discussed in a previous blog post, the framework is based on a certification system whereby U.S. companies commit to adhere to a set of Privacy Shield Principles. Other mechanisms for transferring personal data to the U.S. from the EU are through binding corporate rules, model contracts, or use of one of a number of derogations to the EU’s restrictions on cross-border data transfers.

The report reflects the Working Party’s views in relation to the first annual joint review of the Privacy Shield program. It acknowledges both the progress and the efforts to implement Privacy Shield, but it raises a number of concerns and calls on the European Commission and U.S. authorities to restart discussions to address those concerns by May 25, 2018, which is the date the General Data Protection Regulation (GDPR) takes effect.

The report states that if the concerns are not adequately addressed by that time, the WP29 will take appropriate action, including the possibility of challenging the Privacy Shield adequacy decision before the national courts (who, in turn, would refer the case to the European Court of Justice (CJEU) for a ruling).

The report addressed six areas of concern:

1. Guidance on the principles of the Privacy Shield

The report recommends that the U.S. Department of Commerce (DoC) and the Federal Trade Commission (FTC) provide more practical guidance to companies regarding compliance with Privacy Shield. For example, the report identifies the need for more precise guidance on when and how a data subject can opt out from processing of his/her data for a new purpose and more guidance regarding onward transfers. The report also recommends that the U.S. authorities offer more information in an accessible and easily understandable form to EU individuals regarding their rights and remedies.

2. HR data

The findings gathered during the joint review indicate that the WP29 and DoC interpret the scope of human resources data differently. Specifically, DoC believes that HR data is limited to the processing of data of employees within the same company. As a result, processing of data of an EU company’s employees after being transferred to a Privacy Shield certified processor in the U.S. would be considered processing of commercial data, not HR data. In contrast, WP29 interprets “HR data” as any personal data concerning an employee in the context of an employer-employee relationship. Accordingly, the report calls on the European Commission to address this issue and, if necessary, engage in negotiations with the U.S. authorities to amend the Privacy Shield framework.

3. Oversight and supervision of compliance with Principles

The report recommends the implementation of more proactive supervision practices by U.S. authorities. Specifically, the report encourages DoC and/or FTC to engage in monitoring that could detect false claims either through internet searches, as well as periodic “sweeps” through the use of questionnaires or on-site verifications. WP29 also notes that U.S. authorities appear to be focusing on compliance during the certification or recertification processes, and not enough to ensure compliance during the intervening periods of time.

4. Application of the Privacy Shield to processors established in the U.S.

DoC confirms that when examining a request for self-certification submitted by a company under the Privacy Shield, it does not differentiate between controllers and processors. The report calls on U.S. authorities to provide additional public guidance concerning the application of the Privacy Shield to processors and to distinguish more clearly processors from controllers in reviewing certification applications.

5. Automated-decision making/Profiling

While the findings gathered during the Joint Review seem to indicate that none of the data transferred under the Privacy Shield are processed through automated decision-making systems, the Working Party questions the accuracy of these assertions. Therefore, the report calls upon the commission to contemplate the possibility to provide specific rules concerning automated decision making to provide sufficient safeguards.

6. Self-certification process and cooperation between U.S. authorities in the Privacy Shield mechanism

Finally, the report recommends that the DoC recertification process be adjusted in order to avoid any potential gap that may occur during either the certification or recertification process by developing a process where the public statements made by the organizations in their privacy policies are synchronized with the publication of the Privacy Shield last flagging the organizations’ certificate as active.  When the certification has expired and the recertification process is not yet complete, an organization’s certification could be flagged as inactive on the Privacy Shield.  In addition, the WP29 notes its regret that there is no proactive practice of searching for false claims of Privacy Shield certification and/or verification and the links made available to access their privacy policies, and recommends that DoC and the FTC focus their efforts to include such checks in their monitoring activity.

Data for law enforcement and national security purposes

The report also addresses the derogations to the Privacy Shield that allow access to data for law enforcement and national security purposes, and it acknowledges certain efforts by the U.S. government to become more transparent, such as publishing decisions by the Foreign Intelligence Surveillance Court. In addition, the report acknowledges that surveillance law in the U.S. is evolving.

Nevertheless, the report, notes that concerns expressed in previous opinions have not been fully resolved. Specific concerns relating to the collection of data for national security purposes include the lack of comprehensive oversight of all surveillance programs and the lack of full redress for EU individuals. In addition, while the report notes that the WP29 welcomes the establishment of an Ombudsperson mechanism to redress EU individuals’ rights with regard to U.S. intelligence activities, concerns remain that there is no judicial review of the Ombudsperson’s decisions.

Privacy Shield is an important mechanism for transferring personal data to participating companies in the U.S. DoC has certified more than 2,400 companies and approximately 20 new companies apply for certification each week. We will continue to monitor developments in this area.