European Data Protection Supervisor (EDPS) Giovanni Buttarelli issued his formal opinion on the EU- US Privacy Shield, arguing that while it’s a step in the right direction, “robust improvements” are needed.  The EDPS is an independent advisor/institution and this opinion, along with its recommendations, is geared primarily to the European Commission.

A notable criticism is that Privacy Shield is based on the current EU Directive 95/46/EC, which will be superseded by the new and more robust EU data protection framework, the General Data Protection Regulation (GDPR), in May 2018.   This is problematic because, in his opinion, there isn’t consistency between the current and the future framework and data controllers could find themselves seeking to comply in an environment where that compliance model is changing.

Some additional points worth highlighting are that the EDPS believes more can be done with respect to data minimization and retention as well as automated processing of personal data.  Specifically, he recommends that:

  • The language regarding data minimization and retention should be strengthened to “clearly prohibit keeping personal data in a form which permits identification of data subjects for longer than necessary for the purposes for which the data were collected or further processed.” (See page 9)
  • Language regarding automated processing of personal data — especially when it impacts individuals “performance at work, creditworthiness, reliability, conduct, etc.” — should have greater safeguards and allow for human intervention on the part of the controller to express their “point of view and to contest the decision, and to obtain information about the logic underpinning the processing.”  (See pages 9 and 10)

The EDPS concludes by stating that he “welcomes the efforts shown by the parties to find a solution for transfers of personal data from the EU to the U.S. for commercial purposes under a system of self-certification.  However, robust improvements are needed in order to achieve a solid framework, stable in the long term.”