The data protection environment is getting steadily stranger. Not satisfied with Brexit-related uncertainties (will we GDPR or somehow dodge parts of it), data protection practitioners now have to perform further mental gymnastics: is there a solid Privacy Shield – or will it prove to be made of paper on the first thrust of Max Schrem’s lance?
Last week’s statement from the Article 29 Working Party on the Privacy Shield was seen by many as the green light for use of the Shield. However, while the WP29 welcomed the improvements brought by the Privacy Shield mechanism compared to the Safe Harbour decision and commends the Commission and the US authorities for having taken its further concerns into consideration in the final version of the Privacy Shield documents, a number of its concerns remain. The WP29 identifies these as follows:
· Concerning commercial aspects, the WP29 regrets, for instance, the lack of specific rules on automated decisions and of a general right to object. It also remains unclear how the Privacy Shield Principles shall apply to processors.
· Concerning access by public authorities to data transferred to the USA under the Privacy Shield, the WP29 would have expected stricter guarantees concerning the independence and the powers of the Ombudsperson mechanism.
· Regarding bulk collection of personal data, the WP29 notes the commitment of the ODNI not to conduct mass and indiscriminate collection of personal data. Nevertheless, it regrets the lack of concrete assurances that such practice does not take place.
The WP29 statement then goes on to stress the importance of the first joint annual review. This is seen as a near-guarantee that the Privacy Shield will last at least until after that review as no legal challenge could realistically be resolved within that period.
The WP29 commits itself to ‘proactively and independently assist the data subjects with exercising their rights under the Privacy Shield mechanism, in particular when dealing with complaints’ and promises to provide ‘information to data controllers about their obligations under the Shield [and] comments on the citizens’ guide’.
The new Privacy Shield website designed by the US Department of Commerce is now live and can be accessed here. At the time of writing, there were no Privacy Shield organisations listed there.