On Tuesday 5 December, the 'article 29' working party (WP29), which brings together the personal data protection authorities of the member states of the EU, published its report on the first joint assessment of the functioning of the transatlantic data protection mechanism, 'Privacy Shield'.
Stressing numerous concerns, the group is taking a tough line, warning: “in case no remedy is brought to the concerns of the WP29 in the given timeframes, the members of WP29 will take appropriate action, including bringing the Privacy Shield Adequacy decision to the national courts for them to make a reference to the CJEU for a preliminary ruling”.
In the report, the data protection authorities took a far tougher stance than the Commission which, in its report, published at the end of October, said that Privacy Shield continued to offer an adequate level of protection for the data of Europeans transferred to companies established in the United States for commercial purposes (see EUROPE 11186).
Although they acknowledge the progress Privacy Shield represents compared to its predecessor, Safe Harbour, which was invalidated by the Court of Justice of the European Union, they remain concerned by the fact that a permanent independent mediator and members of the Privacy and Civil Liberties Oversight Board have still not been appointed. The report stresses that these priority concerns must be resolved by 25 May 2018, whilst the Commission did no more than to call for these appointments to be made as soon as possible.
On the commercial aspects of the mechanism, the group calls for increased supervision and control of compliance with the principles of Privacy Shield, particularly by means of own-initiative investigations and continuous controls on certified companies. It also invites the American authorities to draw a clear distinction between the status of those responsible for data processing and of those responsible for data control, both at the point of self-certification and subsequent controls.
As regards the access of the American authorities to the data transferred to the United States, the group recognises the efforts made by the US government in terms of transparency in the use of its supervisory powers and particularly welcomes the declassified documents that have been published. However, it calls for additional evidence or legally binding commitments to substantiate the US authorities’ claims that data are not collected systematically.
The group therefore calls upon the Commission and the US authorities to immediately set in place an action plan to demonstrate that its concerns will be addressed no later than during the second joint examination of the mechanism.
DIGITALEUROPE denounces an overly harsh report. In a press release published on Wednesday 6 December, DIGITALEUROPE, the association representing the European digital technology industry, said that the WP29 had missed the opportunity to recognise the considerable efforts made by all parties to put into practice the commitments to protect the data of European citizens.
“If the data protection authorities believe the Commission is mistaken in its assessment that the Privacy Shield lives up to its billing, then we call on them to roll up their sleeves and join their colleagues on both sides of the Atlantic in improving its implementation and enforcement, as opposed to acting as disinterested observers”, said its Director General, Cecilia Bonefeld-Dahl.
The report is available at: http://bit.ly/2ks3qPX. (Original version in French by Marion Fontana)