The Plenary of the Article 29 Working Party (composed of national Data Protection Authorities – DPAs – in Europe and the European Data Protection Supervisor) met on 26 July to discuss, among other topics, the adopted text of the EU-US Privacy Shield and its accompanying adequacy decision issued by the European Commission on 12 July.
The Group adopted a Statement concerning its assessment of the adopted version of the Privacy Shield. To make a long story short, WP29 issued an Opinion on the Privacy Shield on 13 April, containing concerns, some of which outstanding, about the level of protection afforded by the Privacy Shield to personal data transferred from the EU to the U.S.. This, together with a later Opinion issued by the European Data Protection Supervisor, prompted the Commission to go back to the negotiation table with representatives of the U.S. government in order to alleviate these concerns. On 12 July, after passing through the vote of the Article 31 Committee, the final text of the Privacy Shield was adopted by the Commission.
The Statement issued by WP29 is meant to address the changes brought to the text of the Privacy Shield after the last rounds of negotiations. Have the two negotiating parties addressed the concerns raised by DPAs? Have they provided the requested clarifications?
WP29 stated that:
‘a number of these concerns remain regarding both the commercial aspects and the access by U.S. public authorities to data transferred from the EU.’
The WP29 statement is very brief – so the Group preferred not to launch in an extensive legal analysis of the changes brought to the text. This would have required more time and the benefits of a detailed analysis at this stage, after the text has just been adopted, are few. However, the messages are very clear in the one-pager statement and they are quite critical.
The DPAs highlight three key issues that were not solved regarding transfers in the commercial area (and they mention these three as an example, suggesting thus that there are more ‘concerns’ which have not been dealt with):
- the lack of specific rules on automated decisions (profiling)
- the lack of a general right to object
- the fact that it remains unclear how the Privacy Shield Principles apply to processors
WP29 also refers to two issues that are not entirely solved regarding access by law enforcement to the transferred data:
- the guarantees concerning the independence and the powers of the Ombudsperson mechanism are not strict enough
- the lack of concrete assurances that such practice does not take place (while, at the same time, noting ‘the commitment of the ODNI not to conduct mass and indiscriminate collection of personal data’ – yes, collection and not use)
At least the two last points stand right at the essence of the right to personal data protection and, respectively, the right to respect for private life. The first one has the ability to trigger a breach of Article 8(3) of the Charter of EU (independence of supervisory authorities) and the second one could amount to ‘legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications’. And, as the CJEU found, such legislation ‘must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter’ (para 94 of the Schrems judgement).
Moreover, even the former three identified points of concern could be understood as lacking to implement the general obligation to protect personal data from Article 8(1) of the Charter, were they to be analysed by a Court. (For a similar reasoning, but concerning the rules on international data transfers, see para 72 of the Schrems judgment.)
So, why do I think WP29 did not give a ‘carte blanche’ or a ‘green light’ for the application of the Privacy Shield?
First, because it is not in its competence to do so. According to Article 29(1) of Directive 95/46, the WP29 ‘shall have advisory status’. Article 30 of the Directive enumerates all the competences and powers of the Working Party – giving opinions, informing the Commission, issuing recommendations, advising the Commission. WP29 is not a Court. It is not even an administrative body that can deal with complaints and issue enforceable decisions to solve them. It cannot simply decide that a legal act issued by the European Commission (such as an adequacy decision) will be disapplied. Or, even more so, annulled.
The CJEU was more than clear in Schrems when stating that ‘the Court (of Justice of the EU – my addition) alone has jurisdiction to declare that an EU act, such as a Commission decision adopted pursuant to Article 25(6) of Directive 95/46, is invalid, the exclusivity of that jurisdiction having the purpose of guaranteeing legal certainty by ensuring that EU law is applied uniformly’ (para 61 of the judgment).
WP29 could not challenge the Privacy Shield in Court, either. It does not have this competence.
The ones that could indeed challenge the validity of the adequacy decision are the individual members of the Article 29 Working Party, the national DPAs – and only those whose national law gives them the legal standing to go to their national Courts (the others could also initiate such proceedings, if they would know how to directly invoke in front of the national courts the provisions of Directive 95/46 granting them this competence – third indent of Article 28(3); but this is another EU law discussion).
However, just as the CJEU points out in the Schrems judgment, court proceedings initiated by the DPAs are most likely to be possible only in situations where a complaint was made by an individual (this also depends on national procedural laws of EU Member States) and the DPA happens to agree with the complainant.
‘where the national supervisory authority considers that the objections advanced by the person who has lodged with it a claim concerning the protection of his rights and freedoms in regard to the processing of his personal data are well founded, that authority must, in accordance with the third indent of the first subparagraph of Article 28(3) of Directive 95/46, read in the light in particular of Article 8(3) of the Charter, be able to engage in legal proceedings‘. (CJEU, para. 65 of Schrems)
Perhaps it is not a coincidence that the only concrete immediate step mentioned by the WP29 in its Statement is the commitment of its members to ‘proactively and independently assist the data subjects with exercising their rights under the Privacy Shield mechanism, in particular when dealing with complaints‘.
Another concrete step the WP29 can do about the level of protection of the safeguards contained in the Privacy Shield is, indeed, focusing on the first Joint Annual Review. The Review will probably be done at the beginning of Summer in 2017, close to the 1 year anniversary of its adoption – and it is the quickest way to have the adequacy decision of the Privacy Shield to be suspended or repealed (see paragraphs 150 and 151 of the adequacy decision), if it indeed does not provide for an adequate level of protection.
In the meantime, the members of the WP29 can very well use as guidance the complex analysis in the 58 pages of the Opinion on the draft Privacy Shield issued on 13 April when they will be dealing with complaints.
This is why I think that yesterday’s Statement is not the ‘carte blanche’ or ‘the green light’ almost everyone thought it was.
If you want to read more on the topic: