The 29 Working Party – an update to the EU Shield

Just a couple of hours ago, the long awaited 29 Working Party meeting, came to an end.

Just a couple of hours ago, the long awaited 29 Working Party meeting, came to an end. It was meant to be the final one regarding the revisions of the paperwork about the EU-US Privacy-Shield and everyone was expecting a positive outcome.

Well, they did have their say … but unfortunately we are still relatively non-the-wiser.

The overall feeling the Party expressed was that there has been a major improvement in the negotiations between the EU Commission and the USA and there have been more adequate suggestions proposed. But there are still many topics, which either need a better coverage or need coverage in general.

Lead by the European Convention of the Human Rights and other EU legislation the Party has expressed their main concerns, namely:

1) There is still a tendency towards the bulk collection of data, even though the Party previously made it clear it’s not acceptable practice. In addition to previous concerns raised about this issue, there are fresh concerns that the frivolous gathering of data has direct implications on the counter-terrorism measures that countries are trying to get a grip on.

2) Although the party welcomes the appointment of an Ombudsman person, they aren’t sure this role is going to help solve relevant matters, in fact to the contrary, it could lead to further inefficiencies. The party believes that even if the Ombudsman person is appointed, it should be made very clear that the first person who should deal with any ‘data issues’ for the EU should always be the DPA in the first instance.

The Working party strongly recommended the Shield take into consideration the upcoming changes in Data Protection legislation within the next 2 years referring specifically to the changes in General Data Protection Regulation (GDPR).

The Party once again brought attention to the main standards that need to be considered:

  1. The processing must be based on clear, precise, accessible rules
  2. They must demonstrate necessity/proportionality
  3. There needs to be an independent oversight mechanism – whether a judge or independent mechanism
  4. There should be effective remedies put in place.

The Party advises companies in the meantime to use the well known acceptable mechanisms –  specifically the Model Clauses Contracts and BCR. According to the Party it’s “a great step forward, but given concerns, we believe there is still work to do ….”. Which leaves us to wait and see what the Mid June committee will decide on the matter.

Posted by simonholliday