EU-US Privacy Shield – is the WP29 about to go to ‘war’?
Recently, the Bill re-authorising section 702 of FISA (Foreign Intelligence Surveillance Act) was passed in the US House of Representatives after the original December deadline was extended until 19th January. Although the Bill still has to get through the Senate, it seems that with the backing of President Trump, the Bill allowing targeted surveillance of non-US nationals outside the US will be re-authorised despite the concerns of the EU WP29.
On 28th November 2017 the WP29 published its report on the first annual Joint Review of the EU-US Privacy Shield (https://www.scl.org/files/download/1666-20171205_Privacy_Shield_Report-WP29pdf.pdf). WP29 had previously expressed concerns about the Privacy Shield, and whilst they acknowledge that progress has been made, they still have a number of concerns around transparency and in particular, access for US Law Enforcement and National Security purposes.
“The WP29 welcomes the various efforts made by US authorities to set up a comprehensive procedural framework to support the operation of the Privacy Shield through for example the strengthening of the checks performed prior to the listing of certified organizations.”
In September 2017, EU Commission and the WP29 visited Washington to undertake the review. The Commission published its report in October 2017, and adopt a seemingly different position to WP29:
“The Commission stands strongly behind the Privacy Shield arrangement with the US. Making international data transfers sound, safe and secure benefits certified companies and European consumers and businesses, including EU SMEs. This first annual review demonstrates our commitment to create a strong certification scheme with dynamic oversight work.”
However, the WP29 report lists a number of concerns which fall broadly into two categories; commercial aspects and concerns around Government access to EU personal data for law enforcement and National Security purposes (with specific reference to s702 FISA).
The commercial aspects that remain a concern include:
A lack of guidance and clear information on the Privacy Shield principles, onward transfers and the rights and available remedies for data subjects;
The need for increased oversight and supervision of compliance with the principles;
The need to distinguish between the status of data processors and data controllers
Required improvements in the interpretation of and handling of ‘HR data’
Lack of rules on automated decision-making and profiling
Unresolved issues from opinion 1 of 2016
The WP29 acknowledges that progress has been made in comparison with the previous Safe Harbor arrangements.
They also acknowledge that progress has been made in respect of the concerns around access to data for law enforcement and National Security reasons, but a number of concerns remain, specifically in relation to the collection and access of personal data for national security purposes under section 702 of FISA and Executive Order 12333. Executive Order 12333, originally signed by Ronald Reagan, compels leaders of US intelligence services to co-operate fully with the CIA.
Two programs operate under s702 FISA – PRISM and UPSTREAM. PRISM requires internet service providers to provide the US authorities with the data of their users corresponding to ‘selectors’. Under UPSTREAM, telecommunication providers are required to assist the NSA by collecting data from the chosen ‘selector’. WP29 has specific concerns around the UPSTREAM programme:
“…the WP29 calls for further evidence or legally binding commitments to substantiate the assertions by the US Authorities that the collection of data under s702 is not indiscriminate and access is not conducted on a generalized basis under the UPSTREAM programme.”
WP29 viewed the re-authorisation of s702 as “an important opportunity to include additional safeguards…” but it remains to be seen whether this feedback has been taken on board when the Bill passes to the Senate on 19th January 2018.
What is clear, is that WP29 have given a stark warning to the US in respect of the Privacy Shield if their concerns are not addressed prior to the GDPR implementation date of 25th May 2018:
“In case no remedy is brought to the concerns of the WP29 in the given time frames, the members of WP29 will take appropriate action, including bringing the Privacy Shield Adequacy decision to national courts for them to make a reference to the CJEU for a preliminary ruling.”
If WP29 chose to go down this route there could be detrimental consequences for EU businesses that need to transfer data to the US (and vice versa). It would be prudent for those businesses to ensure that they fully understand the systems and processes they have which could be impacted by any such action and to keep fully up to date with any developments.
In the meantime it’s just a waiting game, with only a few months to go until 25th May…