EU-US Privacy Shield
The Working Party also adopted its Report after the first review of the EU-US Privacy Shield, and it was visibly stricter in its assessment than the European Commission. The Working Party detailed a list of remaining concerns, of which we can highlight lack of oversight for processing of data for commercial purposes and ineffective redress in the area of law enforcement and national security. WP29 issued a list of recommendations and stated that if it will not see improvements to address its concerns by May 25, 2018, the DPAs will challenge the Privacy Shield in national courts with a view to refer the case to the CJEU. (A summary of the Report is available here).
The Joint Annual Review of the Privacy Shield is being prepared by the Commission and the Article 29 Working Party. The WP29 sent a letter to the Commission providing details about the fact finding mission to the US in September and its scope, including the fact that they intend to have 8 members of the Working Party in the EU delegation which will participate to meetings in Washington. The press release points out that the WP29 is particularly interested in asking about: the existence of legal guarantees regarding automated decision making or the existence of any guidance made available by the DOC regarding the application of the Privacy Shield principles to organisations acting as agents/processors; the definition of human resources data; and the latest developments of US law and jurisprudence in the field of privacy.
German DPAs of Bavaria and Hesse published informationand complaint form for individuals under the Privacy Shield (only in DE).
The Article 29 Working Party published brief guidance and a form for complaints to the Ombudsperson, highlighting that only the requests relating to national security access by US intelligence agencies will be considered by the Ombudsperson. The form is available HERE (link directly downloads .pdf).
“Five months before the EU-US “Privacy Shield” faces a crucial first test, the EU’s chief data protection watchdog said [last] Wednesday that the recent rollback of US privacy rules for Internet service providers has left him more skeptical that the Trump administration is serious about meeting its obligations in the trans-Atlantic data transfer agreement.” Read more.
The European Parliament passed the resolution of the LIBE Committee regarding the US/EU Privacy Shield framework. “New rules allowing the US National Security Agency (NSA) to share private data with other US agencies without court oversight, recent revelations about surveillance activities by a US electronic communications service provider and vacancies on US oversight bodies are among the concerns raised by MEPs.”
European Commissioner Vera Jourova spent the better part of this week in Washington DC meeting civil society, government and regulators to discuss about the Privacy Shield, getting ready for the first annual review (due in June). Check out her Twitter feed for all updates throughout the week and her speech given today on Privacy Shield, Umbrella Agreement and GDPR at an event in DC.
The full text of the LIBE resolution on the Privacy Shield adopted last week was made available on the European Parliament’s website. As a reminder, the resolution is a political statement that doesn’t have legal effects. It will be up for adoption by the Plenary of the EP in April.
International data transfers
The European Commission is working on a new EU-US agreement to facilitate access of law enforcement to personal data, which was already proposed to the US Attorney General. The available information is not at all clear, but the new agreement will probably be covered under the EU-US Umbrella Agreement framework.
The LIBE Committee of the European Parliament went to Tokyo in an official visit to assess the potential adequacy of the Japanese data protection legislation with EU law.
APEC and the EU discussed interoperability between their data transfer mechanisms, on August 22. The meeting picked up where an earlier working group between the APEC and the Article 29 Working Party left off three years ago after it had developed a document comparing the requirements of the CBPR and the EU BCR and taken initial steps to develop ways to streamline dual certifications under both schemes.
Chris Kuner published an insightful analysis concerning third country law in the CJEU’s data protection judgments in a blogpost available here.
The European Commission wants the EU to avoid “data nationalisation” after the UK leaves the block. Commissioner Ansip criticised the idea of “data protectionism” and addressed the future of data flows between the UK and the EU at an event in Estonia.
Japan is very close to obtaining adequacy status from the European Commission, according to a joint statement from Commissioner Vera Jourova and Japan’s Commissioner of the Personal Information Protection Commission, Haruhi Kumazawa. This may come as early as beginning of 2018.
Two documents have been published by EUCO’s services concerning measures to improve cross-border access to electronic evidence for criminal investigations, within the ongoing work on improving mechanisms to obtain digital evidence for investigations into cyber-enabled crimes. Check out the background of this work, “non-paper” 1 (p. 3 specifically refers to EU-US cooperation) and a detailed technical document.