Privacy Shield given tentative approval by EU data protection authorities

Framework good enough for now but changes will be needed, says Article 29 Working Party

The Privacy Shield framework hurriedly agreed between the European Union and the US requires work before it can be considered a robust framework for governing data transfers, according to the umbrella group that represents Europe's data protection registrars.

The Article 29 Working Party (WP29), a group that encompasses all the EU's data protection controllers, welcomed the changes that have been made to the framework since it was unveiled, saying that they go some way to assuaging its concerns.

"The WP29 welcomes the improvements brought by the Privacy Shield mechanism compared to the Safe Harbour decision. In its Opinion on the draft EU-US Privacy Shield adequacy decision, the WP29 expressed concerns and asked for various clarifications," the organisation said.

"The WP29 commends the EC and the US authorities for having taken them into consideration in the final version of the Privacy Shield documents."

However, the WP29 claims that it still has a number of concerns that need to be addressed. "Concerning access by public authorities to data transferred to the US under the Privacy Shield, the WP29 would have expected stricter guarantees concerning the independence and the powers of the Ombudsperson mechanism," the statement said.

"Regarding bulk collection of personal data, the WP29 notes the commitment of the Office of the Director of National Intelligence not to conduct mass and indiscriminate collection of personal data.

"Nevertheless, it regrets the lack of concrete assurances that such practice does not take place."

As a result the WP29 said that the annual reviews of the framework will be a "key moment" to assess how Privacy Shield performs.

"In this regard, the competence of DPAs in the course of the joint review should be clearly defined," it said.

"In particular, all members of the joint review team shall have the possibility to directly access all the information necessary for the performance of their review, including elements allowing a proper evaluation of the necessity and proportionality of the collection and access to data transferred by public authorities."

The outcome of the review could also affect how Binding Corporate Rules and Standard Contractual Clauses are maintained under the new regime, according to the WP29.

Aaron Simpson, a partner at Hunton & Williams, explained that businesses should be pleased by the tentative backing of the WP29 as it suggests that the framework will be in place for some time yet.

"Today's announcement recognises the good work that has been done by the negotiating parties while simultaneously emphasising that more work remains to fine tune that balance," he said.

"Importantly, the WP29's statement makes clear that it believes that this remaining work can be carried out in the context of the Shield's novel joint review process, which was included to enable the Privacy Shield to be a dynamic framework that evolves over time.

"Although the path forward is not crystal clear, given that the alternatives to the Privacy Shield face challenges of their own, today's announcement should provide the comfort many companies were looking for from the WP29 before committing to the Privacy Shield."