At its 113th plenary meeting held on Nov. 28, 2017, in Brussels, the Article 29 Data Protection Working Party adopted its EU-U.S. Privacy Shield Report, which renders an opinion on the annual review of Privacy Shield recently conducted by the European Commission and the U.S. Department of Commerce. The WP29’s report articulates a set of concerns regarding both the commercial aspects of the Privacy Shield as well as U.S. surveillance laws regarding access to data for law enforcement and national security purposes. It also offers up what the WP29 would like to see in terms of remedies and some deadlines for their implementation.
Should these remedies not be addressed, the report makes clear WP29 will take legal action.
Perhaps it's not surprising, given the many guidance documents the body creates for EU data protection compliance, but WP29 has expressed concern about the lack of “clear guidance” provided by the Department of Commerce and the Federal Trade Commission to companies adhering to the Privacy Shield. Historically, both U.S. agencies have eschewed “overly prescriptive tools” in favor of a case-by-case analysis of compliance.
To adhere to the recommendations outlined in the WP29’s report, the DoC and FTC would need to provide companies with more precise guidance on the application of the Choice Principle, the Notice Principle, and onward transfers (at a minimum), as well as provide EU individuals with more information “regarding their rights and available recourses and remedies” under U.S. law. WP29 would also like U.S. authorities to provide clearer information to U.S. data processors that contract with EU data controllers, which is cognizant of the differences between the responsibilities of data processors and data controllers under the GDPR.
Another concern of WP29 is the difference between EU and U.S. authorities’ reading of the term “HR data.” This is an important term to define because the processing of “HR data” benefits from additional safeguards in the Shield framework, including being under the supervision of an informal panel of EU DPAs. However, currently, EU employee data that is transferred to a Privacy Shield-certified organization in the U.S. is not treated as HR data but as commercial data.
Essentially, the WP29 is of the opinion that “any data concerning an employee in the context of an employer-employee relationship” should only be transferred under the Privacy Shield if the receiving company has an active HR data certification.
The WP29 would like this situation to change. Essentially, the WP29 is of the opinion that “any data concerning an employee in the context of an employer-employee relationship” should only be transferred under the Privacy Shield if the receiving company has an active HR data certification.
A third concern is rooted in the fact that the Privacy Shield is a self-certification system. Making the argument that such a system leaves companies’ obligations unchecked, WP29 would like U.S. authorities to “devote sufficient resources at oversight and enforcement activities of the certified companies after the actual certification.” For example, it calls for “increased control” by the DoC over companies providing Independent Recourse Mechanisms. It also requests that the FTC or Department of Transportation perform periodic “sweeps” or “compliance reviews” of Privacy Shield-certification organizations to a priori identify non-compliant ones, rather than only doing so upon suspicion of a breach.
Another concern involves automated-decision making and profiling. Directing a suggestion at the European Commission, the WP29 called for it to “contemplate the possibility to provide for specific rules concerning automated decision making.” These could include, for example, the right to know the logic(s) involved and the right to request reconsideration of a decision on a non-automated basis.
With respect to managing the recertification process, the WP29 also invited changes to the one-month deadline from the time a company’s certification expires to the time it is referred to the FTC. The aim of these changes would be to ensure that no recertification gap—whereby a company’s certification status can be indicated as active on the DoC list for up to 30 days after its expiry—would occur.
Lastly, regarding access to data for law enforcement and national security purposes, the WP29 proposed May 25, 2018, as a deadline for U.S. authorities to appoint an Ombudsperson, clarify its powers, and appoint new members to the vacancies on the Privacy and Civil Liberties Oversight Board. By the time of the second joint review of the EU-U.S. Privacy Shield (September 2018), WP29 also requests evidence from U.S. authorities to substantiate their assertions about certain aspects of section 702 of FISA. If section 702 FISA were to be re-authorized, the WP29 calls for amendments to it that would “provide for precise targeting, along with the use of the criteria such as that of ‘reasonable suspicion’, to determine whether an individual or a group should be a target of surveillance.”
If these concerns are not addressed, WP29 signaled it would bring the Privacy Shield adequacy decision to EU national courts so that a reference can be made to the CJEU for a preliminary ruling.
Photo credit: archer10 (Dennis) 104M Views Poland-00765 - Mermaid Legend via photopin (license)