On April 13, 2016, the European Union Article 29 Working Party released a statement and an official but non-binding opinion regarding the adequacy of the EU-U.S. Privacy Shield agreement (the replacement for the EU-U.S. Safe Harbor) concerning the transfer of data between the EU and the U.S.
In that opinion, the Working Party, which consists of all 28 EU member state data protection authorities (DPAs), stated that Privacy Shield brought significant improvements compared to Safe Harbor.
However, the Working Party expressed that there was an overall lack of clarity concerning the principles and guarantees offered by Privacy Shield is Privacy Shield consists of numerous documents and annexes. Additionally, the Working Party expressed concern about the commercial aspects of Privacy Shield, such as the application of the purpose limitation principle to data processing, the failure to discuss the data retention principle, and that the new redress mechanism may be too difficult for EU residents to use. Finally, the Working Party expressed concern about access by public authorities to data transferred under the Privacy Shield. According to the Working Party, there was insufficient information to assess whether EU data would be subject to massive and indiscriminate collection, and there is concern that the Ombudsperson is not sufficiently independent or vested with sufficient powers.
Fortunately, some law firms have examined whether the US offers "essentially equivalent" privacy and data protections. The Hogan Lovell report concludes that in the context of Privacy Shield the US does offer such protections. See Hogan Lovell report (To prevent link rot, I am hosting a copy of the report on Mega.nz). The Sidley Austin report similarly concludes (albeit not in the context of Privacy Shield) that the US offers "essentially equivalent" privacy and data protections. See Sidley report. Importantly, both reports addressed and dispatched the concern that EU data would be subject to massive and indiscriminate collection.
Given the concerns raised by the Working Party, one might think that there could be some last minute changes to Privacy Shield. However, the U.S. government appears disinclined to make any changes.
Until there is a final decision on Privacy Shield, it is still possible to use Binding Corporate Rules and Standard Contractual Clauses to move data between the US and the EU according to the Working Party's Chairperson Isabelle Falque-Pierrotin (the head of France's DPA).
updated on 5/4