EU–U.S. Privacy Shield adequacy decision (“Privacy Shield”) adopted on 12 July 2016, assessed by EDPB in report January 22, 2019
In this report of January 22, 2019 The EDPB (European Data Protection Board) assessed once again whether the safeguards provided under the EU-U.S. Privacy Shield are workable and effective and the EDPB assessed the robustness of its adequacy decision and its practical implementation.
Efforts made by U.S.
In this report he EDPB welcomes the efforts made by the U.S. authorities and the Commission to implement the Privacy Shield, especially actions undertaken to adapt the initial certification process, start ex officio oversight and enforcement actions, as well as the efforts made by the U.S Government by publishing a number of important documents and the appointment of a new Chair as well as of two new members of the PCLOB, meaning that the PCLOB has reached the required quorum for its functioning. However, the EDPB still has a number of significant concerns that need to be addressed by both the Commission and the U.S. authorities.
No substantial checks
The absence of substantial checks remains a concern of the EDPB. Other areas that require further attention are the application of the Privacy Shield requirements regarding onward transfers, HR Data and processors, as well as the recertification process. In addition, the EDPB recalls the remaining issues with respect to certain elements of the commercial part of the Privacy Shield adequacy decision as already raised in the WP 29’s Opinion 01/2016.
Still waiting for a permanent Ombudperson with sufficient power
On the Ombudsperson mechanism, the EDPB is still awaiting the appointment of a permanent independent Ombudsperson. Given the elements provided, the EDPB is not in a position to conclude that the Ombudsperson is vested with sufficient powers to access information and to remedy non- compliance, and it can thus not state that the Ombudsperson can be considered an “effective remedy before a tribunal” in the meaning of Art. 47 of the EU Charter of Fundamental Rights. The EDPB recalls that the same concerns will be addressed by the European Court of Justice in cases that are already pending before the Court.
On October 6, 2015 The European Court declared the Safe-Harbour treaty invalid in the case Schrem-Facebook, after the Edward Snowden revelations. Safe Harbor was a very popular transfer mechanism that more than 4,000 American companies relied on to legitimize their transatlantic data transfers. From its inception, however, some European DPAs consistently criticized Safe Harbor for not offering true “adequacy,” especially for transfers to data processors and onward transfers. As a consequence of this Court decision , thousands of businesses rushed to identify alternatives to transfer personal data to the U.S., with most turning to EU model clauses.
Lets hope that this will not happen with the Privacy Shield, which is in fact still in negotiation. The only alternative for processing personal data outside the EU would then have to be based on expensive Corporate Binding Rules (GDP 46, 2b), or the Model clauses of the European Commission (GDPR 46, 2c)which needs to be assessed as well not being yet completely GDPR proof. The model clauses are considered adequate for use under the GDPR for the time being but are being reviewed. The GDPR( Art. 46,5) expressly provides however that model clauses adopted under the Directive will continue in force under the GDPR until amended, replaced, or repealed. Practically this means that companies that have model clauses in place that predate the GDPR may rely on these clauses now the GDPR is in force as well. An other possibility are standard data protection clauses adopted by a supervisory authority and approved by the Commission (GDPR 46, 2 d), or an approved code of conduct and certification mechanism (GDPR 46, 2 e and f), of which I have not seen any example yet.