Yesterday the WP29 held a press conference in respect of their thoughts on the Privacy Shield. While they were positive in welcoming changes to the Safe Harbour system they called for further improvements that must made to ensure Privacy Shield is in line with data protection obligations.
The Privacy Shield is being brought in to replace the old Safe Harbour regime in respect of transfers of data across the Atlantic. Safe Harbour was brought down in the Schrems judgement.
WP29 has 2 main concerns about Privacy Shield:
1. the potential for bulk surveillance; and
2. the independence of the Ombudsman.
Privacy Shield contains certain national security exceptions in respect of bulk surveillance of citizens including the very vaguely defined 'counter terrorism purposes'. It also provides for an ombudsman to deal with complaints from EU citizens on how their data has been used by the NSA.
Helpfully WP29 did again confirm that alternative transfer mechanisms such as binding corporate rules and model clauses can still be used to validate transfers of personal data to the US for the time being.
So what are the next steps in progressing the Privacy Shield and does the Commission have to take into account the comments of WP29?
The Commission is waiting to hear from the Article 31 Committee. This is a group of representatives from the various member states who are due to meet to discuss the Privacy Shield in April and May.
The Commission must then decide if it wishes to make any amendments to the Privacy Shield based on the comments of the various groups.
If the Commission does not take into account the WP29 concerns then there is potential that the Data Protection Authorities that make up the working party could mount a legal challenge against the Privacy Shield in the Court of Justice.
It seems to us that if Safe Harbour was brought down by the concerns around mass surveillance then Privacy Shield could be heading down the same path if adjustments are not made.
Watch this space......
Deema Freij, global privacy officer at Intralinks said: “If the EC and the US bodies do not take the opinion of the Article 29 working party seriously, Privacy Shield is more likely to be challenged in the higher European courts in the near future, especially if the Max Schrems case is anything to go by. Then we’re back to square one.”