The European Union’s Article 29 Data Protection Working Party (WP29), put in place under a European Parliament directive to address personal information and its international movement, responded on April 13 to the Privacy Shield Data Transfer Agreement agreed upon by the United States and the European Commission earlier this year. The Privacy Shield was intended to fill the gap left by the invalidated Safe Harbor agreement. While the WP29’s non-binding opinion takes note of the improvements to data protection set forth in the Privacy Shield, the WP29 expresses “strong concerns” regarding commercial aspects and the access by public authorities to transferred data. In light of the concerns, the WP29 has urged the Commission to address and clarify the concerns to ensure that the Privacy Shield provides comparable protection to the EU.
While the decision did not provide the clarity that companies were hoping for, it is widely expected that there will be modifications made to the Privacy Shield to address the concerns. In the meantime, the standard contractual clauses and binding corporate rules can still be used by companies transferring personal data to the U.S.
For more details, see the Article 29 Working Party’s 58-page opinion here and the corresponding two-page press release here. For background, see the European Commission’s February 2, 2016, press release on the Privacy Shield agreement here. For more information on the WP29 and its role and composition, see here.