Europe's data protection committee Working Party 29 (WP29) is going to let Privacy Shield operate for a year, promising to hold off on legal challenges until mid-2017 when its first joint annual review is held.
While the chest-beating is still ongoing, the agreement should bring much needed breathing room for corporations which rely on transatlantic data transfers.
In a statement, WP29 said it: “welcomes the improvements brought by the Privacy Shield mechanism compared to the Safe Harbour decision,” however expressed concerns and asked for various clarifications in its Opinion WP238 on the draft EU-US Privacy Shield adequacy decision.
WP29 commended the European Commission (EC) and US authorities on trying to address their concerns, but said that, “a number of these concerns remain regarding both the commercial aspects and the access by US public authorities to data transferred from the EU.”
The group says that in terms of commercial aspects, there is a lack of “specific rules on automated decisions and of a general right to object. It also remains unclear how the Privacy Shield Principles shall apply to processors.”
The group promised to look at the Privacy Shield in terms of its "impact [on] transfer tools such as Binding Corporate Rules and Standard Contractual Clauses."
Likewise it still has concerns about US law enforcement authorities intercepting the data that is transferred to the US under the Privacy Shield agreement.
The group criticised the agreement saying: “Regarding bulk collection of personal data, the WP29 notes the commitment of the ODNI not to conduct mass and indiscriminate collection of personal data. Nevertheless, it regrets the lack of concrete assurances that such practice does not take place.”
The first annual review is going to take place in July 2017 – one year after being formally signed. The working party has said it will: "not only assess if the remaining issues have been solved, but also if the safeguards provided under the EU-US Privacy Shield are workable and effective."
Warning that they simply won't be fobbed off for another year, the group explained: "all members of the joint review team shall have the possibility to directly access all the information necessary for the performance of their review, including elements allowing a proper evaluation of the necessity and proportionality of the collection and access to data transferred by public authorities."
It should be noted that the agreement is already being challenged in the courts by the same lawsuit that struck down Safe Harbour - Max Schrems' v Facebook. Schrems indicated recently, his case has also been punted down the road by at least a year.
The legal timeline has been unusually padded, by The Irish High Court which is deciding whether to approve a request by the Irish data protection commissioner to ask the European Court of Justice (ECJ) whether Facebook's contract clauses over data usage are legal. This means that the case will not appear before the ECJ until 2017 at the earliest.
Aaron P Simpson, partner at Hunton & Williams told SCMagazineUK.com: “Today's announcement from the Article 29 Working Party recognises the good work that has been done by the negotiating parties while simultaneously emphasising that more work remains to fine-tune that balance. Importantly, the Working Party's statement makes clear that that it believes that this remaining work can be carried out in the context of the Shield's novel joint review process, which was included to enable the Privacy Shield to be a dynamic framework that evolves over time. Although the path forward is not crystal clear, given that the alternatives to the Privacy Shield face challenges of their own, today's announcement should provide the comfort many companies were looking for from the Working Party before committing to the Shield.”