EDPB Details Ongoing Concerns About EU-U.S. Privacy Shield

The European Data Protection Board (EDPB or Board), an entity consisting of the European Union’s (EU) data protection authorities, has released its annual assessment of the EU-U.S. Privacy Shield and again finds both the agreement itself and implementation wanting. There was some overlap between the concerns of the EDPB and the the European Commission (EC) as detailed in its recently released third assessment of the Privacy Shield, but the EDPB discusses areas that were either omitted from or downplayed in the EC’s report. The EDPB’s authority is persuasive with respect to Privacy Shield and carries weight with the EC; however, its concerns as detailed in previous annual reports have pushed the EC to demand changes, including but not limited to, pushing the Trump Administration to nominate Board Members to the Privacy and Civil Liberties Oversight Board (PCLOB) and the appointment of a new Ombudsperson to handle complaints about how the U.S. Intelligence Community is handling the personal data of EU citizens. Conceivably, this EDPB assessment could create more pressure for the Department of Commerce (Commerce) and Federal Trade Commission (FTC) to engage in more stringent oversight of those entities attesting to adhering to Privacy Shield in the transfer and processing of the personal data of EU citizens, including FTC actions alleging violations of Section 5 of the FTC Act if entities claim to be certified or in compliance but are found not to be (as the agency did in four recent cases.)

The EDPB took issue with how the Commerce is conducting spot reviews of a business’s adherence to Privacy Shield and how the FTC is enforcing the regime. In the view of the EDPB, these checks are mostly formal and do not delve into the substance of whether the business is actually complying with the requirements of Privacy Shield to protect the personal data of EU citizens. In particular, the EDPB criticized the lack of oversight of so-called onward transfers of the EU citizens’ data from the EU through the U.S. and into other countries that may not offer the protections required in the EU. The EDPB called for closer scrutiny of this practice by Commerce and for an examination of the contracts U.S. companies enter into with entities in third countries to ensure the requirements of Privacy Shield are being met. The EDPB renewed its concerns about the EU and U.S.’s different readings on how human resources (HR) data are to be treated, namely that EU employees would not be able to avail themselves of the same protections once their data has been transferred to the U.S. The EDPB also expressed its concern about how Commerce handles lapsed certifications of compliance with Privacy Shield by noting that such entities are still listed as being certified. The EDPB pushed for a reformed recertification regime.

The EDPB also expressed its “opinion that it is important that the [EC] continues monitoring cases related to automated decision making and profiling and to contemplate the possibility to foresee specific rules concerning automated decision making to provide sufficient safeguards, including the right to know the logic involved and to challenge the decision obtaining human intervention when the decision significantly affects him or her.” Finally, the EDPB noted “the remaining issues with respect to certain elements of the commercial part of the Privacy Shield adequacy decision as already raised in the WP 29’s Opinion 01/2016 in particular regarding the absence or the limitation to the rights of the data subjects (i.e. right to object, right to access, right to be informed for HR processing), the absence of key definitions, the application of the principles when it comes to “processors”, the lack of guarantees on transfers for regulatory purpose in the field of medical context, the lack of specific rules on automated decision making and the overly broad exemption for publicly available information.” The EDPB stated “[t]hose remain valid.”

The EDPB also took issue with U.S. law enforcement and national security treatment of EU citizens’ personal data. The Board asserted that nothing had changed in the legal landscape in the U.S. since last year’s review but recounted its concerns, chiefly that under Title VII of the Foreign Intelligence Surveillance Act (FISA) and Executive Order (EO) 12333 indiscriminate data collection from and analysis of EU citizens could occur with minimal oversight and little to no redress contrary to EU law. However, the EDPB lauded “the now fully functional Privacy and Civil Liberties Oversight Board (PCLOB)” even though many of its crucial reviews of U.S. surveillance practices were classified and therefore off-limits for the Board to review, notably its forthcoming review of EO 12333 which provides an alternative basis for the Intelligence Community to conduct surveillance. Nonetheless, overall, the EDPB calls for more safeguards for U.S. surveillance that would make these activities more targeted. The EDPB also decried how the standing requirements in federal courts have effectively blunted the available redress for EU citizens under the Privacy Act of 1974. The Board also enumerated its concerns about the Ombudsperson “provides the only way for EU individuals to ask for a verification that the relevant authorities have complied with the requirements of this instrument by asking the Ombudsperson to refer the matter to the competent authorities, which include the Inspector General, to check the internal policies of these authorities.” The EDPB was concerned about the impartiality and independence of the current Ombudsperson, Under Secretary of State for Economic Growth, Energy, and the Environment Kenneth Krach and asserted “still doubts that the powers of the Ombudsperson to remedy non-compliance vis-a-vis the intelligence authorities are sufficient, as his “power” seems to be limited to decide not to confirm compliance towards the petitioner.”

The EDPB detailed its “significant concerns that need to be addressed by both the Commission and the U.S. authorities:”

• As regards the commercial aspects, the absence of substantial checks remains a concern of the EDPB. Other areas that require further attention are the application of the Privacy Shield requirements regarding onward transfers, HR data and the application of the principles when it comes to processors, as well as the recertification process. More generally, the members of the Review Team would benefit from a broader access to non-public information, concerning commercial aspects and ongoing investigations. In addition, the EDPB recalls the remaining issues with respect to certain elements of the commercial part of the Privacy Shield adequacy decision as already raised in the WP 29’s Opinion 01/2016.
• As regards the collection of data by public authorities, the EDPB can only encourage the PCLOB to issue and publish further reports. It regrets that on Section 702 FISA no general report is contemplated, to provide an assessment of the changes brought since the last reauthorization in 2018. The EDPB would be very interested on an additional report on PPD-28 to follow up on the first report including an assessment of how the safeguards of PPD-28 are applied Finally, the EDPB underlines the importance of reports on Executive Order 12333, and regrets that those reports will most likely remain classified. In this regard, the EDPB stresses that the members of the review team only have access to the same documents as the general public. The EDPB recalls that the security cleared experts of the EDPB remain ready to review additional documents and discuss additional classified elements, in order to have more meaningful reviews, following the example of PNRs or TFTP reviews.
• On the Ombudsperson mechanism, despite some new elements provided during this year’s review, especially on the procedural aspects in relation to the first case submitted to the Ombudsperson but declared inadmissible, as well as on hypothetical cases, the EDPB is still not in a position to conclude that the Ombudsperson is vested with sufficient powers to access information and to remedy non-compliance. Thus, it still cannot state that the Ombudsperson can be considered an “effective remedy before a tribunal” in the meaning of Art. 47 of the EU Charter of Fundamental Rights.
• Finally, the EDPB recalls that the same concerns will be addressed by the Court of Justice of the European Union in cases that are still pending before it.”