InfoBytes Blog
Article 29 Working Party Assesses Transatlantic Privacy Shield
On April 13, the Article 29 Working Party (WP29) of the European Union released its assessment of the draft framework for transatlantic data flows: EU-US Privacy Shield, which was announced on February 2. According to the assessment, the WP29 evaluated the Privacy Shield from a commercial as well as a national security perspective. Regarding commercial aspects of the Privacy Shield, the WP29 maintained that “key data protection principles as outlined in European law are not reflected in the draft adequacy decision and the annexes, or have been inadequately substituted by alternative notions.” The WP29 further opined that it “cannot find in the documents constituting the Privacy Shield any reference to the necessity for data controllers to ensure that the data are deleted once the purpose for which they were collected or further processed has become obsolete. Hence, as it seems, the Principles do not impose to the certified organisations [sic] a limit for the period of retention of the data comparable to what is imposed by the data retention limitation principle under EU law.” Regarding onward transfers and national security, the WP29 commented that, because the Privacy Shield will be used to transfer data outside the U.S., it must ensure the same level of protection on all aspects, including national security, and “should not lead to lower or circumvent EU data protection principles.” According to the WP29, as the Privacy Shield is currently drafted, “onward transfers of EU personal data are insufficiently framed, especially regarding their scope, the limitation of their purpose and the guarantees applying to transfers to Agents.” Finally, the WP29 raised doubts about the effectiveness of the Ombudsperson at the U.S. State Department, questioning whether the designated person would be equal in independence to national security oversight bodies in other countries.