The chair of the group of 28 European Union data protection authorities said on Tuesday that the regulators would not launch any challenges to the new Privacy Shield until it has gone through its first annual review, expected sometime next summer. The wording is fairly polite, but pretty clear of the unease with which it and its fellow privacy guardians view the Privacy Shield arrangements. Under European data privacy principles, companies operating in the EU are not allowed to send personal data to countries with less stringent privacy regulations. Concerns about the deal have delayed the decision and although legal challenges are expected from privacy activists, the deal will allow companies more certainty in the transfer of sensitive data. And so, after being in place for 15 years, it was declared to be invalid in October 2015, with Privacy Shield agreed upon in February 2016 and revised by the WP29 later that month.
"Regarding bulk collection of personal data, the WP29 notes the commitment of the ODNI not to conduct mass and indiscriminate collection of personal data". It also provides for enforcement actions.
The Article 29 Working Party (WP29), a group that encompasses all the EU's data protection controllers, welcomed the changes that have been made to the framework since it was unveiled, saying that they go some way to assuaging its concerns.
However, it said, "a number of these concerns remain regarding both the commercial aspects and the access by United States public authorities to data transferred from the EU".
The outcome of the review could also affect how Binding Corporate Rules and Standard Contractual Clauses are maintained under the new regime, according to the WP29. In addition, it's still anxious about the powers of the new ombudsman to handle complaints about data abuses and the lack of assurances from the U.S. that its law enforcement services do not practice bulk collection of personal data.
The Working Party said the "the first joint annual review" of the Privacy Shield would be "a key moment for the robustness and efficiency of the Privacy Shield mechanism to be further assessed".
Aaron P Simpson, partner at Hunton & Williams told SCMagazineUK.com: "Today's announcement from the Article 29 Working Party recognises the good work that has been done by the negotiating parties while simultaneously emphasising that more work remains to fine-tune that balance". It is anticipated that a lot of data processors, particularly amongst technology and other cloud based businesses, are keen to adopt the solution, so that comment, coupled with the moratorium on a decision rather than endorsement, will not help them build confidence amongst their customer base that this method will give protection in the medium to longer term.