Greetings from Brussels!
The key story emanating from Europe this week was the release of the WP29 "opinion" on the first annual review of the EU-U.S. Privacy Shield. On the commercial side of things, the report generally welcomes the various efforts made by U.S. authorities to set up a comprehensive procedural framework to support the operational viability of the Privacy Shield through the strengthening of checks performed prior to the listing of certified organizations. However, before we get overly confident in the mechanics, the WP29 did identify several significant concerns with the framework that it says needs addressing by both the European Commission and U.S. authorities.
Two of the key WP29 concerns mirror those articulated in the official review. While the Privacy Shield was agreed already in mid-2016, the U.S. has still to appoint an independent ombudsperson to deal with complaints from EU citizens — it still has a temporary function in place. The WP29 also had questions over the legal powers of the ombudsperson, who would not be able to bring a case to court in the U.S. In addition to this, the U.S. has yet to fill the vacant posts on the Privacy and Civil Liberties Oversight Board. No surprises here perhaps.
The European data protection authorities are also asking for “further evidence or legally binding commitments” to back up U.S. assertions that its data collection under Section 702 is not indiscriminate and that access to the data is not conducted on a generalized basis: You’ll recall that Section 702 of the U.S. Foreign Intelligence Surveillance Act (FISA) refers to the powers afforded the U.S. intelligence community to collect digital communications from foreign suspects outside the United States. It is fair to say that during its September review of the Shield, the European Commission did ask Washington to strengthen the privacy protections provisions in Section 702; the lack of transparency over "fail-safes," and the intelligence community’s scope for access to European citizen data continues to be a source of concern. Interestingly enough, where Justice Commissioner Věra Jourová has so far declined to set any deadlines for resolution, the WP29 says these concerns need to be resolved by May 25, 2018 (a date you'll perhaps recognize).
As a tangential comment, and as a European citizen myself, I’d also like to see more evidence of how national DPAs are engaged in ensuring privacy rights as well as transparency on indiscriminate surveillance limitations here in the EU regarding our own indigenous security services, and how that differentiates with foreign arrangements.
The WP29 have also expressed their dismay at the lack of guidance and clear information for companies, for example, on the principles of the Privacy Shield, regarding onward transfers, as well as on the rights and available recourse and remedies for data subjects. Moreover, it was the opinion of the WP29 that further improvements should be made with regards to the interpretation on what constitutes HR data and its processing and the rules governing automated decision-making and profiling.
In conclusion, I think it relevant to note that the European regulators would like to see these concerns addressed within given timeframes and has urged authorities on both sides of the Atlantic to re-start negotiations to address resolution. Failure to do so could result in "appropriate action," including legal proceedings coming before national courts and ultimately the Court of Justice of the European Union. Strong words, or veiled threat?
If you want to comment on this post, you need to login.