Der EDPS beur­teilt den Pri­va­cy Shield als unzureichend

Der Euro­päi­sche Daten­schutz­be­auf­trag­te, Gio­van­ni But­tarel­li (“EDPS”) hat sich am 30. Mai 2016 zum Pri­va­cy Shield geäu­ssert (Opi­ni­on 4/2016; PDF). Er kommt dabei u.a. zu fol­gen­dem Ergebnis:

The draft Pri­va­cy Shield may be a step in the right direc­tion but as cur­r­ent­ly for­mu­la­ted it does not ade­qua­te­ly inclu­de, in our view, all appro­pria­te safe­guard­sto pro­tect the EU rights of the indi­vi­du­al to pri­va­cy and data pro­tec­tion also with regard to judi­cial redress. Signi­fi­cant impro­ve­ments are nee­ded should the Euro­pean Com­mis­si­on wish to adopt an ade­quacy deci­si­on. In par­ti­cu­lar, the EU should get addi­tio­nal reas­suran­ces in terms of neces­si­ty and pro­por­tio­na­li­ty, ins­tead of legi­ti­mi­sing rou­ti­ne access to trans­fer­red data by U.S. aut­ho­ri­ties on the basis of cri­te­ria having a legal basis in the reci­pi­ent coun­try, but not as such in the EU, as affir­med by the Trea­ties, EU rulings and con­sti­tu­tio­nal tra­di­ti­ons com­mon to the Mem­ber States.

Moreo­ver, in an era of high hyper­con­nec­ti­vi­ty and dis­tri­buted net­works, self-regu­la­ti­on by pri­va­te orga­ni­sa­ti­ons, as well as repre­sen­ta­ti­on and com­mit­ments by public offi­cials, may play a role in the short term whilst in the lon­ger term they would not be suf­fi­ci­ent to safe­guard the rights and inte­rests of indi­vi­du­als and ful­ly satisfy the needs of a glo­ba­li­sed digi­tal world whe­re many coun­tries are now equip­ped with data pro­tec­tion rules.

The­re­fo­re, a lon­ger term solu­ti­on would be wel­co­me in the trans­at­lan­tic dia­lo­gue, to also enact in bin­ding federal law at least the main princi­ples of the rights to be clear­ly and con­cise­ly iden­ti­fied, as is the case with other non EU coun­tries which have been ‘strict­ly asses­sed’ as ensu­ring an ade­qua­te level of pro­tec­tion; what the CJEU in its Schrems judgment expres­sed as mea­ning ‘essen­ti­al­ly equi­va­lent’ to the stan­dards app­li­ca­ble under EU law, and which accord­ing to the Arti­cle 29 Working Par­ty, means con­tai­ning ‘the sub­stance of the fun­da­men­tal princi­ples’ of data protection

Der EDPS bemerkt fer­ner, dass der Ent­wurf der Ade­quacy Deci­si­on für den Pri­va­cy Shield auf der Daten­schutz­richt­li­nie beruht, obwohl die DSGVO 2018 in Kraft tre­ten wird.