The latest Privacy Shield update is that the Article 29 Working Party has come back with comments on the Privacy Shield draft. In this Privacy Shield update, the working party has stated that they are generally satisfied that the draft Privacy Shield is an improvement on the Safe Harbour Agreement but they have raised several areas of concern. We have analysed the working party’s comments to bring you the critical Privacy Shield updates.
The Privacy Shield is going to have a Far Reaching Impact
This Privacy Shield update is important because many businesses operating inside and outside of the EU are going to be effected by the Privacy Shield so it is worth keeping updated on wording and requirements of the Privacy Shield. A critical development in this Privacy Shield update has been the push by the working party to suggest that any transfer from the US to a third country must comply with the Privacy Shield principles. In other words, if your business is storing data that is coming from the US, that storage will need to comply with the Privacy Shield principles.
Who is the Article 29 Working Party
The Article 29 Working Party (WP29) is composed of representatives of:
- the national data protection authorities (DPA),
- the European Data Protection Supervisor (EDPS) and
- the European Commission.
The working party’s objective is to assess the draft Privacy Shield in light of the General Data Protection Regulation, the 95 Directive and the European Convention on Human Rights. The objective of the working party is to make sure that citizens are provided with the equivalent level of protection when data is processed and transferred between Europe and the US.
Concerns with the Privacy Shield
The three main concerns raised by the WP29 in this Privacy Shield update were:
- The language used in the draft Privacy Shield does not oblige organisations to delete data that is no longer necessary.
- The US Administration has not fully excluded the continued collection of large amounts of indiscriminate data.
- The draft Privacy Shield introduces an ombudsman mechanism for dealing with issues and complaints. However, the WP29 are concerned about whether the ombudsman has been given sufficient powers to function effectively. In other words, will the ombudsman actually work?
WP29’s opinion raises multiple concerns with the current construction of the Privacy Shield. In this Privacy Shield update, we consider the following issues to be of primary concern:
There is ambiguity as to the extent to which the Privacy Shield principles apply to certified organisations in the US who are receiving data from the EU for processing purposes. Certified organisations are organisations that are certified with the US Department of Commerce and commit to the Privacy Shield principles. The lack of clarity over the Privacy Shield application to these organisations could create similar problems to the Safe Harbour agreement.
Onward transfers to third countries are a problematic area. The WP29 states explicitly that the Privacy Shield is a tool to transfer EU data from the EU to the US safely and it should be a tool to transfer data safely from the US to third countries. Therefore, any onward transfer of data to third countries should be done in accordance with Privacy Shield principles even if the third country has laws that allow for access to personal data. The WP29 suggest that if the Privacy Shield principles are applied consistently for onward transfers, then EU citizens’ rights remain protected from unjustified interference.
WP29 recommends that third countries who receive data transfers must comply with Privacy Shield principles
The data limitation principle which states that data must only be kept as long as it is necessary to achieve the purpose for which it was collected is a cornerstone of EU data protection law. But, the Privacy Shield in its current form does not contain reference to this data limitation principle.
The Privacy Shield needs to limit the time that data is stored.
A user is entitled to opt-out of having to disclose personal information to a third party and or the use of that personal information for a materially different purpose in comparison to the original stated purpose. However, there needs to be more detail on how this opt-out procedure will function.
It is Important to follow Developments
The far reaching effects of the Privacy Shield means that we all need to be following and understanding the obligations and content of the Privacy Shield. We aim to provide you with up-to-date and thoughtful analysis of all the latest Privacy Shield updates. If you’re concerned about how the Privacy Shield will impact your business, please attend one of our workshops or contact us for more in depth analysis.