Following the generally positive assessment of the EU-U.S. Privacy Shield framework (the “Privacy Shield”) by the European Commission further to its first annual review, the Article 29 Working Party (an advisory group consisting of representatives from national data protection authorities together with the European Commission), released its own opinion (the “WP29 Opinion”), which was more critical and called for immediate actions to be taken on the part of the United States.

While the Article 29 Working Party praised some improvements made by U.S. authorities in terms of transparency and surveillance, the WP29 Opinion noted significant outstanding issues which ought to be remedied before the second annual review of the Privacy Shield or even earlier.  In particular, the Article 29 Working Party expressed concerns relating to the supervision of U.S. surveillance programs, the processing by U.S. authorities of personal data transferred under the Privacy Shield for national security purposes and the implementation of redress mechanisms available to individuals located in the EU against U.S. companies that are not using personal data in accordance with their commitments under the Privacy Shield.  The Article 29 Working Party has set out as priorities the appointment of an independent Ombudsperson entrusted with the appropriate powers, the clarification of internal procedural rules relating to the interaction between the Ombudsperson and other intelligence or oversight bodies (including declassification rules) and the appointment by the U.S. administration of the members of the Privacy and Civil Liberties Oversight Board contemplated by the Privacy Shield.  According to the Article 29 Working Party, those priority issues should be resolved by May 25, 2018, which is the deadline for compliance with the EU’s General Data Protection Regulation (GDPR) (please refer to our prior Alert Memo in that regard).

Other issues identified by the Article 29 Working Party related to the lack of information given to individuals in the EU regarding the exercise of their rights under the Privacy Shield and the need to increasingly monitor compliance of companies certified under the Privacy Shield.  The WP29 Opinion also provided specific recommendations with regard to the processing of employee data, rules regarding automated decision-making and the profiling of individuals, and the self-certification process by U.S. companies wishing to take advantage of the Privacy Shield.

The Article 29 Working Party advised that in the event of a failure to take the actions it prescribed in the WP29 Opinion within the next year, it reserved the right to challenge the validity of the European Commission’s adequacy decision underlying the Privacy Shield in national courts, which could result in its annulment. In that regard, some of the arguments the Article 29 Working Party could raise (such as the broad access to personal data by U.S. authorities for national security purposes) appear to be similar to those that resulted in the invalidation of the Safe Harbor scheme (the Privacy Shield’s predecessor) by the Court of Justice of the European Union in its Schrems v. Data Protection Commissioner judgment.

The Privacy Shield is also subject to pending challenges, one of which was dismissed on November 22, 2017, albeit not on substantive grounds but as a result of the applicant’s lack standing to act.  These challenges to the Privacy Shield echo other actions seeking to invalidate alternative legal grounds to transfer personal data from the EU to the United States, such as the one initiated by Mr. Schrems and the Irish Data Commissioner to question the legitimacy of so-called Standard Contractual Clauses (“SCCs,” also commonly referred to as Model Contracts), which is now pending before the Court of Justice of the European Union for a preliminary ruling.

The invalidation of both the Privacy Shield and the SCCs as approved methods for transferring personal data would cause serious disruptions in the flow of data and, as a result, business relations, between EU and U.S. companies.