The First Annual Joint Review of the EU-US Privacy Shield

EU law requires a high level of protection of personal data that is transferred to the US. As such, in the case of any personal data that is transferred to a US-based company, the company must ensure that the data is processed. They must ensure it is used, stored and further transferred in line with the established safeguards and rules.

To transfer personal data from the EU to the US, a company can use contractual clauses, binding corporate rules, and the Privacy Shield.

If the Privacy Shield is used, the company must sign up to the framework with the US Department of Commerce (“DoC”). In order to be certified, companies must have a privacy policy in line with the Privacy Principles of the Privacy Shield. They must renew their “membership” to the Privacy Shield on an annual basis. If they do not, they can no longer receive and use personal data from the EU under that framework.

The first Annual Joint Review will take place in the week of the 18^th September 2017 in the US with the participation of eight Article 29 Working Party members (“WP29”), which also includes Commissioners and experts at staff level. The guidelines provided for by WP29 are due to be published in October.

The WP29 released a press statement stating that the participation of meetings for the Commission’s review are open for EU Data Protection Authorities (“DPAs”) of the WP29. The WP29 will seek clarification with the Commission and ensure that US authorities are able to answer concerns on the concrete enforcement of the Privacy Shield decision on:

1.    Problems raised by the EU-US Privacy Shield

On the 12^th July 2016, the Commission adopted the EU-US Privacy Shield adequacy decision. The Article 29 Working Party has since issued several opinions on the adequacy decisions and has stressed concerns after reviewing cases from the European Court of Human Rights, Court of Justice of the European Union (“CJEU”) and relevant US case law. The WP29 states that these particular issues need to be addressed in the annual review of the adequacy decision. Thus, the first annual review will be a key moment for the WP29 to assess the effectiveness of the Privacy Shield mechanism.

2.    Law enforcement and national security access

The WP29 has questions relating to the latest developments of US law and jurisprudence in the field of privacy. The WP29 also seeks precise evidence to show that bulk collection, when it exists, is ‘as tailored as feasible’, limited and proportionate. President Trump has not nominated an Undersecretary of State to serve as Ombudsman for the Privacy Shield program, nor yet nominated new Privacy and Civil Liberties Oversight Board (“PCLOB”) members. The WP29 “stresses the need to obtain information concerning the nomination of the four missing members of the PCLOB as well as on the appointment of the Ombudsperson and the procedures governing the Ombudsperson mechanism, as they are key elements of the oversight architecture of the Privacy Shield.”

3.    Commercial aspects

The existence of legal guarantees regarding automated decision making or the existence of any guidance made available by the DoC regarding the application of the Privacy Shield principles to organisations acting as agents/processors. Clarifications that will be sought also include the definition of human resources data.

The WP29 expects that it will be given the opportunity to provide comments on the Commission’s report before the report is finalised and made public.

The WP29 adopted a letter addressing the above issues to Commissioner Věra Jourová, sharing its views and recommendations on the operational and substantive modalities of the Joint Review of the recent US-EU agreement on data transfers. The letter states the issues with the Privacy Shield in the statement above.

Other concerns over the Privacy Shield, including President Trump’s Executive Orders

Following a recent quote by Director of National Intelligence Daniel Coats in a US congressional hearing on data relating to information referring to the difficult nature of identifying when data or communications regarding US citizens are mistakenly collected, EU DPAs may have concerns on whether US intelligence is also gathering EU citizen data in the process.

It is also interesting to note that Digital Rights Ireland have filed a case against the Commission regarding the validity of the Privacy Shield, which will be heard towards the end of the year.

There will also be a case referred from Ireland’s highest court to the CJEU in early September on whether model clauses can also be used by international companies (e.g. Facebook) to move data from the EU to the US.

However, it must be noted that the Executive Order does not have any direct impact on the Privacy Shield. The rights of EU citizens against US federal agencies, in particular the right to judicial redress, are guaranteed by the Judicial Redress Act. Secondly, under US law, Executive Orders cannot overturn statutes enacted by Congress and, on the contrary, may only come into force ”to the extent consistent with applicable law”. The Judicial Redress Act would have to be amended (which would require a vote in Congress) in order to strip EU citizens of their rights under Privacy Shield.

Human Rights Watch (“HRW”) stated in July that US Surveillance makes the Privacy Shield invalid. HRW sent a joint letter along with Amnesty International to Commissioner Jourová. HRW and Amnesty International believe that the Commission should re-evaluate the adequacy decision as “Section 702 of the Foreign Intelligence Surveillance Act, which underpins at least two large-scale warrantless surveillance programs and which Congress is currently debating whether to renew before it expires at the end of this year. Another is Executive Order 12333, which the National Security Agency uses as the basis for most of its communications surveillance activities – including, according to media reports, vast warrantless snooping programs around the world.”