Der Europäische Datenschutzbeauftragte, Giovanni Buttarelli (“EDPS”) hat sich am 30. Mai 2016 zum Privacy Shield geäussert (Opinion 4/2016; PDF). Er kommt dabei u.a. zu folgendem Ergebnis:
The draft Privacy Shield may be a step in the right direction but as currently formulated it does not adequately include, in our view, all appropriate safeguardsto protect the EU rights of the individual to privacy and data protection also with regard to judicial redress. Significant improvements are needed should the European Commission wish to adopt an adequacy decision. In particular, the EU should get additional reassurances in terms of necessity and proportionality, instead of legitimising routine access to transferred data by U.S. authorities on the basis of criteria having a legal basis in the recipient country, but not as such in the EU, as affirmed by the Treaties, EU rulings and constitutional traditions common to the Member States.
Moreover, in an era of high hyperconnectivity and distributed networks, self-regulation by private organisations, as well as representation and commitments by public officials, may play a role in the short term whilst in the longer term they would not be sufficient to safeguard the rights and interests of individuals and fully satisfy the needs of a globalised digital world where many countries are now equipped with data protection rules.
Therefore, a longer term solution would be welcome in the transatlantic dialogue, to also enact in binding federal law at least the main principles of the rights to be clearly and concisely identified, as is the case with other non EU countries which have been ‘strictly assessed’ as ensuring an adequate level of protection; what the CJEU in its Schrems judgment expressed as meaning ‘essentially equivalent’ to the standards applicable under EU law, and which according to the Article 29 Working Party, means containing ‘the substance of the fundamental principles’ of data protection
Der EDPS bemerkt ferner, dass der Entwurf der Adequacy Decision für den Privacy Shield auf der Datenschutzrichtlinie beruht, obwohl die DSGVO 2018 in Kraft treten wird.