GDPR adopted & EU-U.S. Privacy Shield rejected!

Busy times in data protection land! The General Data Protection Regulation (GDPR) was finally adopted by the European Parliament yesterday, 14 April. It will enter into force 20 days after its publication in the EU Official Journal. Its provisions will be directly applicable in all member states two years after this date. During this time frame, companies will have to adapt their businesses and processes to the new rules.

Also this week, the article 29 Working Party rendered a negative opinion on the EU-US Privacy Shield (see our previous newsletter for more details) after a thorough assessment of the scheme.

Even though the WP 29 welcomed significant improvements to the scheme, it raised three major points of concern:

  1. the draft adequacy decision does not oblige organisations to delete data if they are no longer necessary,
  2. the U.S. administration does not fully exclude the continued collection of massive and indiscriminate data, and
  3. the powers granted to the Ombudsperson are insufficient.

In its opinion, the WP 29 welcomes the following significant improvements:

  • The insertion of key definitions such as "personal data", "processing" and "controller".
  • The mechanisms to ensure the oversight of the EU-U.S. Privacy Shield list.
  • The mandatory internal and external reviews of compliance.

Despite these significant improvements, the WP 29 expressed the following strong concerns regarding both the commercial aspects and the access to public authorities to data transferred on this basis:

  • Overall lack of clarity: information difficult to find and at times inconsistent, language lacking clarity.
  • Necessary review of the EU-U.S. Privacy Shield further to the entry into application of the GDPR to ensureconsistency, both in scope and terminology.
  • Some key EU data protection principles are not reflected in the draft adequacy decision and the annexes, or have been inadequately substituted by alternative notions (e.g. data retention principle not expressly mentioned, application of the purpose of limitation principle unclear, wording on protection that should be afforded against automated individual decisions based solely on automated processing). Therefore, the WP 29 suggests to introduce clear definitions which should be part of a glossary of terms to be included in the EU-U.S. Privacy Shield.
  • Onward transfers from a Privacy Shield to third country recipients should provide the same level of protection on all aspects of the Shield (including national security) and should not lead to lower or circumvent EU data protection principles. In general, onward transfers of EU personal data are insufficiently framed, especially regarding their scope, the limitation of their purpose and the guarantees applying to transfers to processors.
  • New redress mechanism in practice may prove to be too complex, difficult to use for EU individuals and therefore ineffective. Further clarification of the various recourse procedures is therefore needed.
  • The representations of the U.S. Office of the Director of National Intelligence do not exclude massive and indiscriminate collection of personal data originating from the EU.
  • The Ombudsperson is not sufficiently independent and is not vested with adequate powers to effectively exercise its duty and does not guarantee a satisfactory remedy in case of disagreement.

This assessment of the WP 29 is only an opinion and, as such, not binding. However, it is very likely that the WP 29 recommendations will be followed in order to avoid a new "Schrem's case". In such a case, modification should be negotiated with the U.S., which could lead to a delay of the approval process.