EU DPAs: Legal action to come unless Privacy Shield improved by 25 May 2018



The EU Data Protection Authorities say that they have, despite improvements to the Privacy Shield framework, identified a number of significant concerns that need to be addressed both by the EU Commission and the US authorities. The DPAs, together as the Article 29 DP Working Party, demand an action plan to be set up immediately to address the appointment of an independent US Ombudsperson (currently there is an acting Ombudsperson). The DPAs also call for rapid appointment of new members to the vacancies on the Privacy and Civil Liberties Oversight Board (PCLOB). Unless their concerns are resolved by 25 May 2018 when the EU GDPR enters into force, the DPAs will bring the Privacy Shield Adequacy decision to national courts for them to make a reference to the Court of Justice of the European Union for a preliminary ruling.

The DPAs have in their review focused on the assessment of both the commercial aspects of the Privacy Shield and on the legal framework relating to government access to personal data transferred from the EU for the purposes of Law Enforcement and National Security, including the legal remedies available to EU citizens.

Their review is separate from the recent review by the EU Commission, which was more positive but also pointed out the questions of the Ombudsperson and the missing members of the PCLOB, see https://www.privacylaws.com/Publications/enews/International-E-news/Dates/2017/10/EU-Commission-EU-US-Privacy-Shield-works-but-implementation-can-be-improved/

The WP29 acknowledges the progress with Privacy Shield in comparison with the invalidated Safe Harbor, and offers to advise US authorities in drafting new guidance, in particular regarding HR data and onward transfers.

The DPAs’ report on the Privacy Shield was adopted at their November Art 29 WP Plenary, which also adopted guidelines on consent and transparency as well as its updated referentials on adequacy and BCRs for controllers and processors. These documents will be published on the WP29 website in the coming days and are open to public consultation for 6 weeks before their final adoption.

The DPAs have also worked on tools for cooperation between DPAs on data breach notifications. It is expected that they will, in their February meeting, adopt guidelines on certification.

The DPAs’ Privacy Shield report is at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 (see under Plenary meetings).