In his capacity as an independent supervisor of the EU institutions and advisor to the EU legislator, the EDPS has published his much awaited Opinion on the EU-U.S. Privacy Shield. In his Opinion, he offers some practical solutions to address some of the concerns the proposal raises.
Giovanni Buttarelli, the EDPS, said:
‘I appreciate the efforts made to develop a solution to replace Safe Harbour but the Privacy Shield as it stands is not robust enough to withstand future legal scrutiny before the Court. Significant improvements are needed should the European Commission wish to adopt an adequacy decision, to respect the essence of key data protection principles with particular regard to necessity, proportionality and redress mechanisms. Moreover, it’s time to develop a longer term solution in the transatlantic dialogue’.
In April 2016, the Article 29 Working Party issued an Opinion on the Privacy Shield proposal to which the EDPS contributed as a member. It contains a detailed legal analysis and request for clarification over a number of concerns. The EDPS Opinion has been issued as part of the EDPS’ mission as independent advisor to the EU institutions on the implications of policies which have an impact on the rights to privacy and data protection.
For the Privacy Shield to be effective it must provide adequate protection against indiscriminate surveillance as well as obligations on oversight, transparency, redress and data protection rights. The EDPS highlights how he sees essential equivalence working in practice in the context of self-regulation by private organisations where data in transit or transferred to the USA may routinely be assessed by law enforcement and intelligence bodies.
The EDPS points out that the GDPR will be applicable to all data protection related matters including transfers of data. Taking into account the observations and concerns shared with him by MEPS, industry, civil society academia and other interlocutors, the EDPS urges the legislators to take their time in finding an adequate, long-term solution. He says that international companies supplying goods and services in the EU should be absolutely clear about all the rules they must comply with.
Under the EU data protection regime, there is no discrimination on the basis of nationality. Key data protection principles must be covered in the Privacy Shield for it to offer essential equivalence between EU-US law.
The EDPS Opinion is available on the EDPS website.