As the EU-U.S. Privacy Shield news was popping this past February, LLM, Inc. released a white paper on recommended best practices and the future of transatlantic data privacy and transfer policies: After Safe Harbor: Navigating Unknown Data Privacy Waters. Article 29 Working Party (WP29) and the European Parliament revealed the latest developments in this ongoing story.
After WP29’s in-depth analysis of the Privacy Shield, the group shared its opinion. While it welcomed the Privacy Shields’ “significant improvements” compared to Safe Harbor, the group still had “strong concerns” relating to commercial aspects and public authorities’ access to data transferred. It felt that there were insufficient details “in order to exclude massive and indiscriminate collection of personal data originating from the EU.” To improve the draft adequacy decision, WP29 urged the European Commission to resolve its concerns and respond to requests for clarification.
Just a day after the data authorities group rejected the Privacy Shield, the European Union accepted the new EU General Data Protection Regulation (GDPR), which applies to organizations that monitor or process EU citizens’ personal data.
As a result of these developments, the National Law Review recommends that organizations prepare for both the Privacy Shield and GDPR in specific ways, including performing a data inventory to understand what kind of data is collected, how it is processed, where it is stored and who has access to it.
So what’s ahead for the recently rejected Privacy Shield? The European Commission will take into consideration both WP29’s advisory opinion as well as the Article 31 Committee’s. It has been anticipated that unlike WP29, the Article 31 group will most likely be in favor of the Privacy Shield. Its decision is expected after meetings on April 29 and May 19.
After the group’s decision, the EU Commission and the U.S. Department of Commerce may choose to address WP29’s “strong concerns” and modify the Privacy Shield or the EU Commission may approve the Privacy Shield as is.
The National Law Review shares the speculation that given the “significant pressure” from the U.S. government and U.S. and EU companies, the EU Commission may implement the Privacy Shield despite WP29’s clear objection. If the latter is the case, then legal challenges before the Court of Justice of the European Union could follow, creating even more uncertainty for already restless companies. This potential uncertainty will likely influence the EU Commission and U.S. Department of Commerce to address the issues at hand.