The European Data Protection Board (EDPB), which brings together the data protection authorities of the EU Member States, published on Monday 18 November its report on the third assessment of the functioning of the transatlantic data protection system, the ‘Privacy Shield’.
Overall, the report welcomes the efforts made by the US authorities to implement the scheme, as well as the completion of the appointment procedure to the US Privacy and Civil Liberties Oversight Board (PCLOB) and the appointment of Keith Krach as Permanent Ombudsperson. But above all, it underlines that several of the concerns raised by the EDPB during the second evaluation (see EUROPE 12181/9) remain current.
This is particularly the case for the powers of the Ombudsperson, who is responsible for managing complaints from Europeans whose data are processed by American companies, which are considered largely insufficient to carry out his duties effectively.
“The EDPB is not in a position to conclude that the Ombudsperson is bested with sufficient powers to access information and to remedy non-compliance. Thus, it still cannot state that the Ombudsperson can be considered an ‘effective remedy before a tribunal’ in the meaning of Art. 47 of the EU Charter of Fundamental Rights”, it writes in its report.
In its assessment, presented on 23 October last (see EUROPE 12355/9), the European Commission, for its part, considered that the first complaint lodged with the Ombudsperson through the Croatian Data Protection Authority - even if it was finally considered inadmissible - had demonstrated that the mechanism was working properly.
The EDPB disagrees and in its report also recalls that the Ombudsperson does not have powers that would generally be granted to the courts or other independent bodies to fulfil their role. It also points out that the Ombudsperson’s decisions cannot be brought to court for judicial review and that, therefore, it is impossible for the complainant to obtain redress when the Ombudsperson does not act or when he provides an unsatisfactory response to the complainant.
European data protection authorities also continue to believe that improvements are needed in terms of compliance checks. In their view, the measures taken by the US authorities have so far focused on procedural violations of the framework rather than on the substance, and they consider that the very substance of the principles of the framework is not verified.
Other areas also require particular attention, according to the EDPB, such as the application of requirements for subsequent transfers, data collection by public authorities and the recertification process.
The EDPB also recalls that several of its concerns will be addressed by the Court of Justice of the European Union in the context of the ‘Schrems II’ case (C-311/18). The Advocate General’s Opinion is expected on 12 December 2019 (see EUROPE 12292/15).
See the report: http://bit.ly/2O4i24B (Original version in French by Marion Fontana)