Europes data protection boss have burnt a admonish shot across the bows of the executive heads figure of the Union ahead of the first annual its consideration of the EU-US Privacy Shield.
The data transfer framework, which was agreed in February 2016and opened for sign-ups last-place August, is now used by more than 2,000 companiesto transfer the personal dataof EU citizens to the US for processing without peril of breaching fundamental European privacy rights.
The core idea is a framework that bridges two very different legal regimes.
Privacy Shield supplants the prior Safe Harbor arrangement, which stood for fifteen years before being invalidated by Europes top tribunal after a legal objection that was largely focused on US government mass surveillance practises as a breach of EU privacy rights.
The replacement, which the Commission argues offer most robust privacy guarantees, has always had itscriticswho claim it contains the same fundamental flaws as its predecessor arranging , not least on account of ongoing bulk data collection rules in the US. It is already facing legal challenges.
It likewise arguably looks especially precarious placed in Trumps America, given the presidents apparent disregard of the human rights of non-Americans. And the impacts of the brand-new sentry in the White House are clearly front of mind for the EUs Article 29 Working Party going ahead of the first annual evaluation; aka their own bodies made up of representatives from Member Commonwealth data protection agencies.
The group set out a series of very concerned about Privacy Shield as far back asApril 2016.Theyre now gearing up for the annual evaluation, due to take place in the US in September, and today say theyve sent the EC a note setting out their views and recommendations, and reserving the right to publish their own report subject to the outcome of the Joint Review and research reports of the Commission.
So, in other words, its a telling-off hit to the Commission not is striving to stimulate its consideration of the report a pantomime, tick-box exercise.
The WP2 9 describes the forthcoming review as a fact-finding mission in order to collect the relevant information and necessary evidence to assess the robustness of the Privacy Shield.
Its regards span both commercial-grade components and law enforcement/ national security deliberations pertaining to the framework including growing recent developments in US law that might impact privacy( for example, in Januarypresident Trump induced consternation in Europe with an Executive Order that strips privacy rights from non-US citizens ); and the fact that a key ombudsperson persona, created as part of the data transfer frame, has yet to be appointed.
The US is also currently engaged in debate over reforming Section 702 of the FISA which has implications for how the data of non-US citizens can be treated by US national protection agencies.
Discussing its concerns, the WP29 writes today 😛 TAGEND
for the commercial-grade duty, the WP2 9 has questions concerning, among others, the existence of legal guarantees involving automated decision making or the existence of any counseling made available by the DOC regarding the application of the Privacy Shield principles to organisations acting as agents/ processors. Clarifications that will be sought also include the definition of human resources data.
Regarding the law enforcement and national protection proportion, the WP 29 has questions relating including with regard to to the latest developments of US law and jurisprudence in the fields of privacy. The WP2 9 likewise searches , inter alia, precise evidence been demonstrated that bulk collection, when it exists, is as adapted as feasible, limited and proportionate. In add-on, the WP2 9 stresses the need to obtain information concerning the nomination of the four missing representatives from the PCLOB[ Privacy and Civil Liberties Oversight Board] as well as on the appointment of the Ombudsperson and the procedures governing the Ombudsperson mechanism, as they are key elements of the oversight architecture of the Privacy Shield.
The group also notes that more questions about the robustness and operation of the arrangement is all very well arise during the review process which it articulates should last-place at least two to three days in order to allow for sufficient time to conduct an assessment.
It also says it hassuggested a roster of US authorities that should be part of the Joint Review, and will be sending eight “of ones own” personnel to be part of the review squad from commissioners to experts at staff level.
The first joint annual reviewwill be a key minute for the WP 29 to assess the robustness and effectiveness of the Privacy Shield mechanism, it adds.
At the time of writing the EC had not responded to a request for comment.
Update : strong> In an emailed statement Commission spokesman told us: As part of the preparations we are now consulting the companies who subscribed to it, privacy NGOs, as well as our American counterparts to prepare the agenda, adding: Consulting with our EU data protection powers is also part of this process.
Responding specifically to the WP29s statement today, the spokesman added: We will take this input into account in our the readiness of its consideration of the report. It is already foreseen by the Commissions adequacy decision( Privacy Shield decision) that the data protection powers will participate in the review.
We understand that areas the Commission is intending to cover as part of the review include: looking at how US companies comply with their data protection the responsibilities and the existing mechanisms they have put in place to ensure a speedy handling of complaints; how the Department of Commerce and the FTC certify companies, monitor compliance and extended their cooperation to EU Data Protection Authorities in the enforcement; the operation of the rules seeing access by public authorities, and rules and procedures to ensure the Ombudsperson mechanism functions well; and alsoissues identified already in the EC adequacy decision, such as dialogue on automated decision-making, as well as any developments in U.S. statute that might raise questions concerning the EU-U.S. Privacy Shield.
Read more: https :// techcrunch.com