Privacy Shield for U.S. Data Transfers: Back to the Drawing Board

Axel Spies

German attorney-at-law (Rechtsanwalt)

Dr. Axel Spies is a German attorney (Rechtsanwalt) in Washington, DC, and co-publisher of the German journals Multi-Media-Recht (MMR) and Zeitschrift für Datenschutz (ZD).

The European Commission may need to revise the draft proposal to meet the concerns expressed by the Article 29 Working Party.

On 29 February 2016, the European Commission published a draft adequacy decision to establish the EU-U.S. Privacy Shield, the replacement for the invalidated Safe Harbor program that previously allowed transfers of personal data between the European Union and certified organizations in the United States. The Article 29 Working Party (the WP), the regulatory body in Brussels representing the national data protection agencies, was asked to give its opinion.

EU Data Protection Agencies Have Various Concerns

The critique of the WP, released in a long “opinion” of 54 pages on April 13, was quite harsh: The publication of the draft adequacy decision was initially welcomed by the WP, which advises the European Commission on data protection matters. Following a review of the documentation, the Article 29 Working Party has given its opinion on the draft EU-U.S. Privacy Shield and expressed significant concerns that the draft proposal does not give enough protection to European citizens because “[…] massive and indiscriminate data collection is not fully excluded by the U.S. authorities and […] the powers and position of the Ombudsman have not been set out in more detail.” The WP is concerned that a number of important data protection principles have not been expressly incorporated within the legal framework of the Privacy Shield, including the data protection limitation and purpose limitation principles. The major concern of the WP seems to be the six exceptions under which the U.S. authorities can still collect European data in bulk, including counterterrorism, cybersecurity, and detecting and addressing certain activities of foreign powers. The WP also identifies that there is no mechanism for updating the EU-U.S. Privacy Shield once the General Data Protection Regulation comes into force, which is now likely to be mid-2018. The regulators are also awaiting various judgments of the European Court of Justice in cases of mass data collection and retention.

What’s Next?

The good news is that the WP has not flatly rejected the draft adequacy decision, but has instead requested that the European Commission clarifies the proposal and resolves the WP’s concerns about adequately protecting personal data. The bad news is that it is unclear what the next steps are. Legally, the European Commission is not bound by the WP’s opinion and could formally adopt the draft adequacy decision notwithstanding the WP’s concerns. A more likely outcome is that the European Commission will now revise its draft adequacy decision in order to address the WP’s concerns. However, the WP doesn’t have a seat at the negotiating table with the U.S. government. The representatives of the U.S. government probably don’t have a lot of room to make further concessions to the Europeans. If the Commission adopts the Privacy Shield Framework against the opinion of the WP, this will increase the likelihood of a successful legal challenge and unilateral actions of the national data protection agencies.

In any event, the Commission must deal with various DPAs, and the WP’s opinion is only their smallest common denominator. Germany’s DPAs are the most determined to send the Privacy Shield back to the drawing board, according to a leaked document posted on the website of the State Commissioner for Data Protection of Baden-Württemberg last week, arguing that the current data transfer rules are not tough enough.  Other DPAs are more conciliatory. The impact of the Privacy Shield on the national economies could also differ within Europe. The Irish government, for instance, has already stated that it is concerned about the impact on jobs in their high-tech sector if the Privacy Shield rules become tougher. Many U.S. companies with affiliated branches are located in Ireland.

As to the immediate next steps for the Privacy Shield Framework, the EU member states must give their approval in light of the WP’s opinion. The framework won’t go into effect until the European Commission issues a final decision affirming its adequacy. This is a complicated process.  All this makes it unlikely that the EU-U.S. Privacy Shield will be adopted in June 2016 as originally anticipated.

Dr. Axel Spies, Morgan Lewis & Bockius, Washington, DC. Dr. Spies is the author of AGI Issue Brief 46: German/U.S. Data Transfers: Crucial for Both Economies, Difficult to Regain Trust and A Reasonable Expectation of Privacy? Data Protection in the United States and Germany.