After the invalidation of the Safe Harbor by the European Court of Justice ("ECJ") last October in the Schrems case, negotiations between the European Commission and US authorities led to a new agreement called the EU-US Privacy Shield. However, the EU's 1995 Data Protection Directive provides that the Article 29 Working Party ("WP29") has to issue an opinion on this kind of agreements and it did so on April 13. It concluded that the proposed version of the Privacy Shield does not offer a protection essentially equivalent to that offered under EU law. WP29 noted "strong concerns" on both the commercial aspects and on access by public authorities.
On the commercial aspects, WP29 said the Privacy Shield:
is not in line with the purpose limitation and data retention principles (data should not be stored longer than strictly necessary in accordance with the purpose for which the data subject gave his/her consent) says nothing about protection against decisions based solely on automated processing does not deal with onward transfers adequately; and has a redress mechanism that is too complex. As regards access by public authorities, the Privacy Shield:
does not exclude massive and indiscriminate collection of personal data originating from the EU; and has an Ombudsperson that is not sufficiently independent and not vested with adequate powers. WP 29 urged the European Commission to resolve these concerns and improve the proposed scheme.
What will happen next?
The EU Privacy Directive states that a committee composed of representatives of all Member States must also issue an opinion...