Key Review of Privacy Shield Coming in Six Weeks
Now that the EU Commission has published the complete version of its draft decision adopting the EU-US Privacy Shield program, it's time for the key reviewers to dig in. I don't mean the lawyers, or EU privacy advocates, or US businesses, although their views will no doubt be wide-ranging and illuminating. But no, the really important reviewers are the members of the Article 29 Working Party.
Regular readers of this blog will know that the Art. 29 WP is made up of representatives of the EU's national data protection authorities and that the group has a major advisory role as mandated by Art. 29 of the Data Protection Directive (hence the catchy name). The reason that that Art. 29 WP's views will be particularly important for Privacy Shield is that the national DPAs will be the arbiters of the initial attacks that are almost certain to be made on Privacy Shield once it is adopted. In terms of legal action, the first step EU privacy advocates who are not satisfied with Privacy Shield (which Max Schrems has already characterized as "lipstick on a pig") will take is to file complaints with their local DPAs. The DPAs will then need to consider whether Privacy Shield protects the "fundamental rights and freedoms" of the complainants. The DPAs will then issue decisions that can be appealed to the local courts. The local courts would then need to refer questions of European law (such as the validity of the Commission decision to adopt Privacy Shield) to the Court of Justice of the EU, which is the only court authorized to strike down a Commission decision. But it all starts with the DPAs.
The Art. 29 WP has promised to publish its comments after a plenary meeting on April 12-13. If the Art. 29 WP comes out in favor of Privacy Shield prior to its adoption, it will be a lot tougher for the DPAs to turn around later and agree with complainants that Privacy Shield is, after all, inadequate and should be struck down. So Art. 29 WP has compelling incentives to scrutinize the draft Privacy Shield decision very carefully over the next six weeks. It will be interesting to see whether the Commission draft survives the review without any vulnerabilities being identified that would lead the Commission to reopen negotiations with the US.