Tag Archives: international data transfers

Why (I think) the WP29 Statement on the Privacy Shield is not really a ‘carte blanche’ for one year

The Plenary of the Article 29 Working Party (composed of national Data Protection Authorities – DPAs – in Europe and the European Data Protection Supervisor) met on 26 July to discuss, among other topics, the adopted text of the EU-US Privacy Shield and its accompanying adequacy decision issued by the European Commission  on 12 July.

The Group adopted a Statement concerning its assessment of the adopted version of the Privacy Shield. To make a long story short, WP29 issued an Opinion on the Privacy Shield  on 13 April, containing concerns, some of which outstanding, about the level of protection afforded by the Privacy Shield to personal data transferred from the EU to the U.S.. This, together with a later Opinion issued by the European Data Protection Supervisor, prompted the Commission to go back to the negotiation table with representatives of the U.S. government in order to alleviate these concerns. On 12 July, after passing through the vote of the Article 31 Committee, the final text of the Privacy Shield was adopted by the Commission.

The Statement issued by WP29 is meant to address the changes brought to the text of the Privacy Shield after the last rounds of negotiations. Have the two negotiating parties addressed the concerns raised by DPAs? Have they provided the requested clarifications?

WP29 stated that:

‘a number of these concerns remain regarding both the commercial aspects and the access by U.S. public authorities to data transferred from the EU.’

The WP29 statement is very brief – so the Group preferred not to launch in an extensive legal analysis of the changes brought to the text. This would have required more time and the benefits of a detailed analysis at this stage, after the text has just been adopted, are few. However, the messages are very clear in the one-pager statement and they are quite critical.

The DPAs highlight three key issues that were not solved regarding transfers in the commercial area (and they mention these three as an example, suggesting thus that there are more ‘concerns’ which have not been dealt with):

  • the lack of specific rules on automated decisions (profiling)
  • the lack of a general right to object
  • the fact that it remains unclear how the Privacy Shield Principles apply to processors

WP29 also refers to two issues that are not entirely solved regarding access by law enforcement to the transferred data:

  • the guarantees concerning the independence and the powers of the Ombudsperson mechanism are not strict enough
  • the lack of concrete assurances that such practice does not take place (while, at the same time, noting ‘the commitment of the ODNI not to conduct mass and indiscriminate collection of personal data’ – yes, collection and not use)

At least the two last points stand right at the essence of the right to personal data protection and, respectively, the right to respect for private life. The first one has the ability to trigger a breach of Article 8(3) of the Charter of EU (independence of supervisory authorities) and the second one could amount to ‘legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications’. And, as the CJEU found, such legislation ‘must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter’ (para 94 of the Schrems judgement).

Moreover, even the former three identified points of concern could be understood as lacking to implement the general obligation to protect personal data from Article 8(1) of the Charter, were they to be analysed by a Court. (For a similar reasoning, but concerning the rules on international data transfers, see para 72 of the Schrems judgment.)

So, why do I think WP29 did not give a ‘carte blanche’ or a ‘green light’ for the application of the Privacy Shield?

First, because it is not in its competence to do so. According to Article 29(1) of Directive 95/46, the WP29 ‘shall have advisory status’. Article 30 of the Directive enumerates all the competences and powers of the Working Party – giving opinions, informing the Commission, issuing recommendations, advising the Commission. WP29 is not a Court. It is not even an administrative body that can deal with complaints and issue enforceable decisions to solve them. It cannot simply decide that a legal act issued by the European Commission (such as an adequacy decision) will be disapplied. Or, even more so, annulled.

The CJEU was more than clear in Schrems when stating that ‘the Court (of Justice of the EU – my addition) alone has jurisdiction to declare that an EU act, such as a Commission decision adopted pursuant to Article 25(6) of Directive 95/46, is invalid, the exclusivity of that jurisdiction having the purpose of guaranteeing legal certainty by ensuring that EU law is applied uniformly’ (para 61 of the judgment).

WP29 could not challenge the Privacy Shield in Court, either. It does not have this competence.

The ones that could indeed challenge the validity of the adequacy decision are the individual members of the Article 29 Working Party, the national DPAs – and only those whose national law gives them the legal standing to go to their national Courts (the others could also initiate such proceedings, if they would know how to directly invoke in front of the national courts the provisions of Directive 95/46 granting them this competence – third indent of Article 28(3); but this is another EU law discussion).

However, just as the CJEU points out in the Schrems judgment, court proceedings initiated by the DPAs are most likely to be possible only in situations where a complaint was made by an individual  (this also depends on national procedural laws of EU Member States) and the DPA happens to agree with the complainant.

‘where the national supervisory authority considers that the objections advanced by the person who has lodged with it a claim concerning the protection of his rights and freedoms in regard to the processing of his personal data are well founded, that authority must, in accordance with the third indent of the first subparagraph of Article 28(3) of Directive 95/46, read in the light in particular of Article 8(3) of the Charter, be able to engage in legal proceedings‘. (CJEU, para. 65 of Schrems)

Perhaps it is not a coincidence that the only concrete immediate step mentioned by the WP29 in its Statement is the commitment of its members to ‘proactively and independently assist the data subjects with exercising their rights under the Privacy Shield mechanism, in particular when dealing with complaints‘.

Another concrete step the WP29 can do about the level of protection of the safeguards contained in the Privacy Shield is, indeed, focusing on the first Joint Annual Review. The Review will probably be done at the beginning of Summer in 2017, close to the 1 year anniversary of its adoption – and it is the quickest way to have the adequacy decision of the Privacy Shield to be suspended or repealed (see paragraphs 150 and 151 of the adequacy decision), if it indeed does not provide for an adequate level of protection.

In the meantime, the members of the WP29 can very well use as guidance the complex analysis in the 58 pages of the Opinion on the draft Privacy Shield issued on 13 April when they will be dealing with complaints.

This is why I think that yesterday’s Statement is not the ‘carte blanche’ or ‘the green light’ almost everyone thought it was.


If you want to read more on the topic:

EU privacy watchdogs keep open mind on new U.S. data privacy pact (Reuters)

EU watchdogs permit Privacy Shield to run for one year (BBC)

EU Privacy Regulators Give Green Light to Data-Transfer Pact with U.S. (WSJ)

EU privacy watchdogs vow to thoroughly frisk Privacy Shield next year (Arstechnica)

Les gendarmes européens de la vie privée critiquent l’accord Privacy Shield (Le Monde)

EU: New Zealand Privacy Act offers an adequate standard of data protection


The European Commission decided that New Zealand Privacy Act is conform with the EU data protection requirements, hence it has an adequate standard of data protection, allowing data transfers to take place between EU and New Zealand. The adequacy rule is enforced through Article 25 of the Data Protection Directive (Directive 95/46).

In a media release, NZ Privacy Commissioner Marie Shroff welcomed the announcement of the European Commission.

“The European decision is a vote of confidence in our privacy law and regulatory arrangements. This decision establishes New Zealand, in the eyes of our trading partners, as a safe place to process personal data.”

The Office of the Privacy Commissioner (OPC) has been working for a number of years towards this outcome. It has assisted successive governments in amending the Privacy Act to meet EU requirements and has worked with European institutions to gather the information they need to make an assessment.

Assistant Commissioner Blair Stewart, who has led more than 10 years of OPC work on EU adequacy said, “Europe and New Zealand share a common commitment to upholding human rights. As part of this, all European countries have data protection laws much like New Zealand’s Privacy Act 1993. However, since 1995 European businesses have been prohibited by law from transferring personal data to countries outside Europe for processing unless special safeguards prescribed in law are in place.

“Providing the special safeguards in the manner required by EU law can be expensive and difficult even where companies are already operating with comprehensive privacy laws like New Zealand’s. This is why it has been so important for New Zealand to obtain an official decision that our law is adequate to meet EU standards. The European Commission decision establishes that all New Zealand companies in all circumstances can meet those European requirements. Few countries outside Europe have achieved this status.

“The decision should be helpful to New Zealand businesses that trade with Europe or hope to do so as it substantially simplifies compliance with data protection requirements.

VIDEO. EDPS Peter Hustinx on Data Protection Reform

European Data Protection Supervisor, Peter Hustinx, is spoke at a March 27 event organized by American Chamber of Commerce in France and sponsored by Hogan Lovells.

The main ideas of his speech:

  • Main reasons for the need of a new data protection regulation:

1. there is a need to update the current framework

2. the current framework have given rise to increasing diversity, complexity and we have ended up with 27 versions of same basic principles and that is simply too much

3. a new constitutional institutional framework, the Lisbon Treaty, that entered into force with a strong emphasis among fundamental rights, among them the right to data protection

  • The new regulation is stronger, more effective, more consistent and more comprehensive.
  • The exchange of data from private to public sectors is increasing, and will have some practical consequences [this is why the EDPS criticizes the new Directive destined for the judicial collection of data].
  • Ideas about the Regulation:

1. in spite of all the innovations, there is a lot of continuity; all the basic concepts will continue to exist.

2. innovation comes mainly in making it work in practice, by strengthening the role of the people.

3. data subject’s rights have been confirmed and extended; there is more emphasis in transparency.

4. the biggest emphasis is on the responsibility of big organizations

5. Legal security has been enhanced. There is an enormous amount of simplification.

6. The international dimensions of this regulation: The scope of the regulation has been clarified and extended. This provisions apply when from outside, a third country, services are delivered on the European market or when the behavior of Europeans is monitored. I think this is a realistic approach.

  • Overall, it is very welcomed proposal. The criticism I issued relates more to the directive.