In his capacity as an independent supervisor of the EU institutions and advisor to the EU legislator, the European Data Protection Supervisor (EDPS) today published his Opinion on the EU-U.S. Privacy Shield in which he offers practical solutions to address some of the concerns the proposal raises.
Giovanni Buttarelli, EDPS, said: "I appreciate the efforts made to develop a solution to replace Safe Harbour but the Privacy Shield as it stands is not robust enough to withstand future legal scrutiny before the Court. Significant improvements are needed should the European Commission wish to adopt an adequacy decision, to respect the essence of key data protection principles with particular regard to necessity, proportionality and redress mechanisms. Moreover, it’s time to develop a longer term solution in the transatlantic dialogue."
In April 2016, the Article 29 Working Party issued an Opinion on the Privacy Shield proposal to which the EDPS contributed as a member. It contains a detailed legal analysis and request for clarification over a number of concerns. The EDPS Opinion has been issued as part of the EDPS’ mission as independent advisor to the EU institutions on the implications of policies which have an impact on the rights to privacy and data protection.
For the Privacy Shield to be effective it must provide adequate protection against indiscriminate surveillance as well as obligations on oversight, transparency, redress and data protection rights. The EDPS highlights how he sees essential equivalence working in practice in the context of self-regulation by private organisations where data in transit or transferred to the U.S. may routinely be assessed by law enforcement and intelligence bodies.
With the new General Data Protection Regulation (GDPR) to be fully implementable across the EU in May 2018, the EDPS points out that it will be applicable to all data protection related matters including transfers of data. Also taking into account the observations and concerns shared with him by MEPS, industry, civil society academia and other interlocutors, the EDPS urges the legislators to take their time in finding an adequate, long-term solution.
He says that international companies supplying goods and services in the EU should be absolutely clear about all the rules they must comply with.
In the EU we do not discriminate on the basis of nationality. Key data protection principles must be covered in the Privacy Shield for it to offer essential equivalence between EU-U.S. law.
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EC) No 45/2001. The EDPS is a relatively new but increasingly influential independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection.
Giovanni Buttarelli (EDPS) and Wojciech Wiewiórowski (Assistant EDPS) are members of the institution, appointed by a joint decision of the European Parliament and the Council. Assigned for a five year term, they took office on 4 December 2014.
Personal information or data: Any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.
Privacy: the right of an individual to be left alone and in control of information about his or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).
Processing of personal data: According to Article 2(b) of Regulation (EC) No 45/2001, processing of personal data refers to "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction." See the glossary on the EDPS website.
Privacy Shield: In October 2015, the Court of Justice of the European Union ruled that the Safe Harbour framework was invalid because it did not provide a sufficient level of data protection for personal data transferred by companies from the EU to the U.S. as required by EU law. In February 2016, the EU-U.S. Privacy Shield was announced by the European Commission and the U.S. Department of Commerce as a replacement for Safe Harbour.
The EU-U.S. Umbrella Agreement covers data transfers across the Atlantic for law enforcement purposes while the EU-U.S. Privacy Shield covers data exchange for commercial purposes.