Privacy Shield is still not safe enough

The European Commission has drafted an outline of an “adequacy decision” that must feature an EU-US Privacy Shield as a substitute for the nullified Safe Harbour decision. The national Privacy Authorities, united into the Article 29 workgroup “WP29”, are critical of the draft decision by the European Commission: the Privacy Shield certainly offers more protection, but there are also problems that the European Commission has to solve to guarantee that the Privacy Shield is as safe during the exchange of personal data with the US as it is during the exchange of data within the EU.

WP29 gave its opinion on 13 April 2016, raising the concern that the Privacy Shield does not contain a requirement to delete data when it is no longer necessary to store it. Also, the Privacy Shield leaves room for American intelligence agencies to collect personal data from the EU in non-specific ways and on a large scale. Some of the definitions are not clear or are inconsistent, including some that address important topics like data access.

There are also some positive remarks in the WP29 opinion. The Privacy Shield includes that a supervisor will monitor its performance. The Privacy Authorities feel positively about this, as long as a supervisor can independently and effectively perform its task. The performance will also be annually inspected by various representatives of interests. Such an inspection is crucial for a general sense of trust in the Privacy Shield.

The expectation is that in May, the Committee of Representatives of the Member States will give their opinion on the current Privacy Shield. The European Commission is processing both documents into a new version of the Privacy Shield, which is expected to be published in June 2016 and come into effect shortly thereafter. Until then, the personal data of EU nationals may only be exported to the US in keeping with the EC model contracts and Binding Corporate Rules (BCRs).

Marga Verwoert