The recently approved Privacy Shield framework can be made into a fully robust and workable framework for data transfers, but requires work to get there, according to the European Article 29 Working Party (WP29).
The WP29, formed of all European data controllers, welcomed the changes that have been made to the framework since it was unveiled, saying that they go some way to assuaging its concerns.
“The WP29 welcomes the improvements brought by the Privacy Shield mechanism compared to the Safe Harbour decision. In its Opinion on the draft EU-US Privacy Shield adequacy decision, the WP29 expressed concerns and asked for various clarifications,” the organisation said.
“The WP29 commends the EC and the US authorities for having taken them into consideration in the final version of the Privacy Shield documents.”
However, the WP29 still has a number of concerns that need addressing. “Concerning access by public authorities to data transferred to the US under the Privacy Shield, the WP29 would have expected stricter guarantees concerning the independence and the powers of the Ombudsperson mechanism,” the statement said.
“Regarding bulk collection of personal data, the WP29 notes the commitment of the Office of the Director of National Intelligence not to conduct mass and indiscriminate collection of personal data.
"Nevertheless, it regrets the lack of concrete assurances that such practice does not take place.”
As a result the WP29 said that the annual reviews of the framework will be a “key moment” to assess how Privacy Shield performs.
“In this regard, the competence of DPAs in the course of the joint review should be clearly defined,” it said.
“In particular, all members of the joint review team shall have the possibility to directly access all the information necessary for the performance of their review, including elements allowing a proper evaluation of the necessity and proportionality of the collection and access to data transferred by public authorities.”
The outcome of the review could also affect how Binding Corporate Rules and Standard Contractual Clauses are maintained under the new regime, according to the WP29.
Aaron Simpson, a partner at Hunton & Williams, explained that businesses should be pleased by the tentative backing of the WP29 as it suggests that the framework will be in place for some time yet.
“Today’s announcement recognises the good work that has been done by the negotiating parties while simultaneously emphasising that more work remains to fine tune that balance," he said.
"Importantly, the WP29’s statement makes clear that it believes that this remaining work can be carried out in the context of the Shield’s novel joint review process, which was included to enable the Privacy Shield to be a dynamic framework that evolves over time.
"Although the path forward is not crystal clear, given that the alternatives to the Privacy Shield face challenges of their own, today’s announcement should provide the comfort many companies were looking for from the WP29 before committing to the Privacy Shield.”
Could be used for everything from search-and-rescue robots to wearable tech
Don't require the rare material being mined from the mountains of South America
IBM hopes that its new tool will avoid bias in artificial intelligence
Found by calculating the strength of the material deep inside the crust of neutron stars