Hot on the heels of the European Commission’s official review of the functioning of the EU-U.S. Privacy Shield framework, the Article 29 Working Party (Working Party) of EU data protection regulators has issued its own report on the matter. The summary of findings by the Working Party, which draws from both written submissions and oral contributions, begins by commending U.S. authorities for their efforts in establishing a procedural framework to support the operation of Privacy Shield but quickly shifts to the Working Party’s concerns. Should the concerns not be addressed by the time of the second joint review, the Working Party notes that its members will “take appropriate action,” including bringing a Privacy Shield adequacy decision to national courts for reference to the Court of Justice of the European Union (CJEU) for a preliminary ruling.
While the precise importance and role of Privacy Shield in a post-GDPR world where contractual mechanisms and BCR seem to be given prominence remains to be seen, approximately 2,500 organizations currently rely on the framework for the transfer of personal data from the European Union to the U.S. The referral of Privacy Shield to the CJEU would cast the validity of such transfers into doubt, so the next few months will be critical in this respect.
Insufficient Guidance from the DoC/FTC
The Working Party concludes that the guidance offered to-date from the Department of Commerce (DoC) and the Federal Trade Commission (FTC) is insufficient due to its focus on the process of certification itself. The Working Party calls for the publication of guidance documents that provide “clear interpretation[s]” of how the requirements of Privacy Shield should be implemented in practice, calling such guidance “indispensable” in light of the prevalence of compliance self-assessments. More precise guidance on the timing of notice, “when and how” a data subject can opt out of processing for a new purpose, and the onward transfer requirement more generally, were specifically highlighted.
The Working Party’s request for additional guidance may indeed prove helpful to U.S. organizations working to comply with Privacy Shield. However, underlying this issue of perceived insufficient guidance is a difference in philosophical approach to data protection law that exists on different sides of the Atlantic. U.S. authorities made the decision not to provide prescriptive guidance as to the mechanics of complying with the Privacy Shield requirements in order to (i) allow organizations to adopt the policies and processes that best address their needs, and (ii) to avoid the risk that an organization might simply “copy” and “adopt” the guidance without implementing appropriate processes in practice. The EU, on the other hand, has generally adopted and is much more accustomed to seeing a more prescriptive approach when it comes to data protection.
As the nature of the DoC/FTC’s guidance stems from a differing U.S. philosophy regarding data protection, it is far from certain whether and to what extent the DoC and FTC will publish more prescriptive guidance documents in response to the Working Party’s comments.
Oversight, Supervision, and the Self-Certification Process
As expected, the Working Party emphasizes a need for U.S. authorities to engage in affirmative monitoring of the practices of those entities that have certified to Privacy Shield and in the execution of compliance reviews even in the absence of suspicion of non-compliance.
It is possible that U.S. authorities may respond by adopting a more pro-active compliance review process. However, as the Privacy Shield framework does not itself detail the exact oversight and supervision required, it would not be surprising if there were further dialog as to the appropriate supervision. We anticipate that the fact that no complaint was referred to U.S. authorities from EU individuals during the period under review would frame the general discussion and negotiation regarding the means and processes for carrying out oversight and supervision. The fact that the DoC had developed compliance questionnaires to be sent to those organizations suspected to be in breach but had not received indication of any suspicion within the period of the joint review, may also play a role.
Differences in Interpretation by the U.S. and EU
The Working Party also noted three concerns related to differing interpretations of the Privacy Shield framework and disparate approaches to data protection law.
Automated-decision making / profiling. Here, the Working Party reiterated its existing concern that the Privacy Shield framework itself provides insufficient legal guarantees for automated decisions producing legal effects or significantly affecting the individual and that such guarantees are required to provide for an adequate level of protection. (Recall that, in the U.S., such issues are generally addressed via sector-specific laws, such as the Fair Credit Reporting Act, whereas the EU approaches them within its primary data protection frameworks.) Such a change would likely require new discussions as to the role of such requirements and how they might align with the U.S. sector-specific legal framework. However, this is a key area of focus for the Working Party under the GDPR, so the stakes are certainly high in this respect.
Differing interpretations regarding the processing activities of U.S. processors and the consequences that flow from the differing interpretations. The Working Party noted that the obligations contained in the Principles do not neatly apply to processors, a crucial fact confronted by many companies and generally navigated through a combination of self-certification, contractual obligations, and internal policies and procedures. The identification of this issue may lead to more illustrative guidance by relevant authorities, which may further assist U.S. processors in meeting their obligations under Privacy Shield.
Identification and treatment of HR data. It is the position of the Working Party that where data qualifies as HR data in the EU, even if transferred to the U.S. for processing purposes only, that data remains HR data and any U.S. entity that receives such data must fulfill the Privacy Shield requirements pertaining to HR data. We anticipate that this stance will be viewed as a “shifting” interpretation by U.S. entities and would not be surprised to see push back. In practice, many U.S. vendors that provide services to EU organizations do not discriminate between whether their customers utilize their services for EU customer data or HR data. It is foreseeable that such U.S. organizations would view the adoption of the additional requirements and obligations that follow the processing of HR data to be inappropriate. We therefore anticipate further discussions regarding this area of concern.
Law Enforcement Access
The Working Party also commented at length on U.S. law enforcement access to information and the means by which EU citizens can seek redress before U.S. courts, finding the framework established by Privacy Shield to be insufficient.
The Working Party called for further evidence or legally binding commitments to substantiate the assertions made by U.S. authorities that collection is not indiscriminate and access is not granted on a generalized basis. The Working Party seeks an updated report from the Privacy and Civil Liberties Oversight Board (PCLOB) to assess the necessity and proportionality of the definition of “targets” and the tasking of selectors under section 702 and generally seeks the rapid appointment of new members to vacancies on the board.
Moreover, the Working Party criticizes the problematic admissibility threshold of the so-called “standing requirement” in the U.S., which it believes renders it uncertain whether an EU individual could bring a suit against a surveillance measure on the basis of 702 FISA or EO 12333. Interestingly, the Working Party also acknowledges that courts in EU Member States have denied challenges to surveillance laws for similar procedural reasons. Finally, the Working Party appears to place great emphasis on the Ombudsperson—a role that it says has insufficient powers, based on the information available to it—and calls for a permanent Ombudsperson to be appointed as soon as possible.
All in all and as expected, the Working Party delivers a troubling verdict. For the time being, we anticipate the DoC and the FTC to take some action in response to the Working Party’s feedback. The European Commission will also use the Working Party’s report as a reference for the work ahead. In the meantime, the adequacy of the Privacy Shield stands, so European companies can continue to rely on this framework for transfers of personal data to U.S. participants. We will continue to monitor this space for further developments.