On April 13, 2016, the Article 29 Working Party issued its opinion on the draft adequacy finding under the U.S. Privacy Shield (Opinion 01/2016 on the EU – U.S. Privacy Shield draft adequacy decision; Statement of the Article 29 Working Party on the Opinion on the EU‑U.S. Privacy Shield).
In principle, the working group welcomes the improvements that the Privacy Shield brings in comparison to Safe Harbor. However, it calls on the European Commission to clarify the linguistic and systematic ambiguities regarding the principles and guarantees granted by the Privacy Shield. On the one hand, better clarity could be provided by adding an annex to the Privacy Shield with definitions of terms. On the other hand, the terminology would need to be aligned with that used in European data protection legislation.
With regard to the commercial aspects of the declaration of adequacy, the working group notes that the draft does not take into account some of the European data protection law principles. For example, better account should be taken of purpose limitation, and companies should be explicitly required by the declaration of adequacy to delete personal data that is no longer needed. In addition, complexities in connection with the complaints procedure should be clarified.
Regarding the security aspects of the adequacy declaration, the working group criticizes that the possibility of arbitrary data collection by U.S. authorities has not been eliminated. In addition, there is still considerable uncertainty about the conditions under which U.S. authorities can gain access to personal data held in the United States. In addition, the responsibilities of the ombudsman’s office need to be clarified.