What's being billed as a leaked excerpt from the Article 29 Working Party (Art.29 WP) Opinion on the EU Privacy Shield indicating the group was "not yet in a position to confirm that the current draft adequacy decision does, indeed, ensure a level of protection [in the U.S.] that is essentially equivalent to that in the EU," could spell trouble for finalization of the agreement hammered out earlier this year to fill the void left when Safe Harbor was invalidated by a European court.
According to De Lege Data, the leak came via a resolution from the German Data Protection Authorities (DPAs) posted online (the link since removed, but a copy of the document now reportedly found here) voiced concerns about the draft agreement.
“Until these issues are addressed, the WP29 considers it is not in a position to reach an overall conclusion on the draft adequacy decision,” De Lege Data cited the DPAs resolution as saying.” It stresses that some of the clarifications and concerns – in particular relating to national security – may also impact the viability of the other transfer tools.”
Aaron Tantleff, intellectual property partner at Foley & Lardner LLP, said he wasn't surprised by the leak “given that the purpose of Privacy Shield was to ensure that there was a mechanism in place to ensure a level of protection in the U.S. that is essentially equivalent to that in the EU.” In comments emailed to SCMagazine.com, Tantleff noted that the current draft of Privacy Shield might “not appear to satisfy this requirement.”
But while, he noted “the content of the leak does not surprise me,” he contended that “given the magnitude of this decision, I believe it will not be one that will sit well with the US government or US organizations, and ultimately, may have a negative impact on cross-Atlantic business and drive up the cost of global commerce.”
Mary Hildebrand, a partner at law firm Lowenstein Sandler, said if authentic, the leaked material confirms “expectations that the Art.29 WP would subject the Privacy Shield to a thorough and tough review. Specifically, the Art.29 WP will make a determination whether the Privacy Shield and the ‘adequacy decision,' meet the stringent standards for the privacy of European personal data transferred to the U.S established by the European Court of Justice in the Schrems decision.”
The Art.29 WP, she noted in comments emailed to SCMagazine.com, had outlined “four key standards” that any “new data transfer mechanism” must meet. “If the Art.29 WP is not able to lend its support, then presumably the Privacy Shield falls short in one or more of these areas,” said Hildebrand.
However, she pointed out, that the EC isn't “bound by the opinion” of the group, although “there's no doubt of their influence in this debate.” To modify the Privacy Shield pact to address the Art.29 WP concerns, mean “a return to the bargaining table with the U.S.,” action that Hildebrand called “politically challenging,” making it “unlikely.”
If the EC overrides the group's objections and approves Privacy Shield, then the only entity that could invalidate the decision would be the European Court of Justice. The leaked material, if accurate, indicating the Art.29 WP's struggles with the pact “suggests who may be participating in judicial challenges down the road,” said Hildebrand, noting that the wording ultimately suggests “that a judicial challenge to the “adequacy” of the Privacy Shield originating with the German DPAs may be a virtual certainty.”
If those challenges are successful “invalidation of another trans-Atlantic data transfer mechanism would impair the credibility of the European Commission, and exacerbate existing uncertainty in the private sector throughout the U.S.,” she said.
In a Monday blog post, John Frank, Microsoft's vice president of EU affairs, urged approval of the Privacy Shield pact.
“We have reviewed the Privacy Shield documentation in detail, and we believe wholeheartedly that it represents an effective framework and should be approved,” he wrote, contending that “no single legal instrument can address for all time all of the privacy issues on both sides of the Atlantic.”
Frank acknowledged that the current draft will most certainly require additional steps, “ranging from additional domestic legislation to modernization of mutual legal assistance treaties and new bilateral and ultimately multilateral agreements,” after its adoption but the agreement “as negotiated provides a strong foundation on which to build.”
The Art.29 WP's opinion is expected to be released on Wednesday.