Article 29 Data Protection Working Party, Opinion 01/2016 on the EU-US Privacy Shield draft adequacy decision, adopted on 13 April 2016 (WP 238)

On 29 February 2016, the European Commission published a Communication, a draft adequacy decision and the annexed texts: the EU-U.S. Privacy, which seeks to replace the previous U.S. Safe Harbour invalidated by the Court of Justice of the European Union on 6 October 2015, in the Schrems case.

Article 29 DPWP is particularly pleased with the increased transparency that is offered through the introduction of two Privacy Shield Lists on the website of the DoC: one list containing the records of those organisations adhering to the Privacy Shield, and one list containing the records of those organisations that have adhered to the Shield in the past, but no longer do so.

However, three major points of concern do remain, that in the view of the WP29 will need to be addressed.

1. The first concern is that the language used in the draft adequacy decision does not oblige organisations to delete data if they are no longer necessary.

2. The WP29 understands from Annex VI that the U.S. administration does not fully exclude the continued collection of massive and indiscriminate data

3. Even though the WP29 welcomes the introduction of the Ombudsperson mechanism, concerns remain as to whether the Ombudsperson has sufficient powers to function effectively.

The WP29 has also indicated various points throughout this Opinion where further clarification of the adequacy decision is in order.

1. This regards the need to ensure that the key data protection notions used in the Privacy Shield are defined and applied in a consistent way. The introduction of a glossary of terms in the Privacy Shield F.A.Q., with definitions ideally agreed between the EU and the U.S., would be welcomed.

2. The WP29 also concludes that onward transfers of EU personal data are insufficiently framed, especially regarding their scope, the limitation of their purpose and the guarantees applying to transfers to Agents.

3. The WP29 recommends that a review of this adequacy decision, as well as of the adequacy decisions issued for other third countries, should take place shortly after the GDPR enters into application.

4. The WP29 welcomes the fact that the Privacy Shield adequacy decision will indeed be reviewed on a yearly basis, with a broad involvement of DPAs and other relevant parties. It would welcome agreement on the elements of the joint reviews, including on the drafting and presentation of the review report by all parties well in advance of the first review.