After its first draft of February 29, 2016, the European Commission adopted the EU-U.S. Privacy Shield adequacy decision on July 12, 2016. The first draft was adopted after the cancellation of the Safe Harbor by the Court of Justice of the European Union (CJEU) on October 15, 2015 (Schrems case). A new adequacy decision was therefore highly welcome to allow the tens of thousands of U.S. and EU companies that rely on Safe Harbor to transfer personal data across the Atlantic. After the first draft of the adequacy decision, several EU institutions addressed numerous concerns regarding this first draft. First, on April 13, 2016, Article 29 Working Party (WP 29), released an opinion, noting the Privacy Shield offers major improvements “compared to the invalidated Safe Harbor decision” but, at the same time, urged the European Commission to resolve all concerns expressed by WP 29 in order to ensure that the protection to be offered by the Privacy Shield is “indeed essentially equivalent to that of the EU“. This opinion was followed on May 26, 2016 by a resolution of the EU parliament where it also expressed several concerns about the proposed Privacy Shield. Finally, on May 30, 2016 the European Data Protection Supervisor (EDPS) published its opinion where, although it “welcomed the efforts shown by the parties to find a solution for transfers of personal data”, EDPS added that “robust improvements” were needed “in order to achieve a solid framework, stable in the long term”.
The EU-U.S. Privacy Shield adequacy decision adopted on July 12, 2016 by the European Commission was supposed to cure all the concerns expressed after the first draft. The surprise is of course that WP 29’s press release of July 26, 2016 does not consider that the improvements brought by the EU Commission and the U.S. authorities to the proposal of Privacy Shield adequately respond to the concerns expressed. For instance, WP 29 regrets:
The lack of specific rules on automated decisions and of a general right to object;
That it remains unclear how the Privacy Shield Principles will apply to processors;
The lack of concrete assurance that bulk collection of personal data will not again happen, despite the commitment of the U.S. Office of the Director of National Intelligence (ODNI);
The lack of strict guarantees concerning the independence and the powers of the Ombudsmen in case of conflict caused by access by U.S. public authorities to personal data.
After expressing these criticisms, WP 29 proposes however to decide on the viability of the Privacy Shield after the first annual review of the framework that will take place in May 2017. In other words, WP 29 will not push for a legal challenge of the Privacy Shield before the first review. This said, even though the timing proposed by WP 29 seems practicable, in case of action by data subjects of privacy activists, the “wait and see” attitude of WP 29 will probably be difficult to maintain. Finally, the position of WP 29 seems very practical. Indeed, it is difficult to assess the adequacy of the Privacy Shield because it is mainly based on commitments taken from letters by different U.S. heads of administrative bodies and among others the ODNI. This meets one of the very general remarks expressed by the EDPS in its May 30, 2016 opinion, which called “for longer term solutions” “with more robust stable legal frameworks to boost transatlantic relations”. The nearly one year deadline given by WP 29 is probably the opportunity to reach robust stable legal frameworks not only for the Privacy Shield, but also for Standard Contractual Clauses and Binding Corporate rules when they relates to transfers of personal data to the U.S.