ARTICLE 29 DATA PROTECTION WORKING PARTY
1SANK0H
1SANK0H
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
when exercising his/her right of access, is interested to know whether a particular controller<br />
processes data about himself/herself, and also to know what data is being processed, in order<br />
to be able to control the processing of his/her data. The WP<strong>29</strong> has repeatedly stated that<br />
according to EU law data subjects always have the right to access their data, and, where<br />
necessary, to require rectification or erasure of the data if the data have not been processed<br />
lawfully or if they are incomplete or inaccurate, regardless of whether or not the personal data<br />
have been published. 37 If the individual's request for access is rejected on the grounds that the<br />
data were obtained from publicly available sources or public records, the individual would<br />
lose the ability to control the accuracy of the data and to control whether the data were<br />
lawfully made public in the first place.<br />
The Privacy Shield however exempts public records and publicly available information from<br />
the principles of Notice, Choice, Access, and Accountability for Onward Transfers (Annex II,<br />
II.15.b). These exemptions seem too broad in comparison with the Directive and raise<br />
concerns, as they impair, among others, the individuals’ possibilities to control the accuracy<br />
of their data and to restrict dissemination of their data.<br />
2.3 Conclusions<br />
The WP<strong>29</strong> recognises that the U.S. authorities and the European Commission have brought<br />
significant improvements to the commercial aspects for data transfer between the two<br />
continents. Taking into account the above analysis, the WP<strong>29</strong> however finds that the<br />
commercial part of the Privacy Shield requires further clarification on many points. For<br />
example, the lack of an explicit data retention principle, is cause for concern. Therefore, the<br />
WP<strong>29</strong> has serious concerns that the Privacy Shield can ensure a level of protection that is<br />
essentially equivalent to that in the EU.<br />
The adequacy decision needs to further clarify the Purpose Limitation and Choice principles.<br />
There remains the risk of loopholes regarding several principles, notably the onward transfers,<br />
the complaint handling mechanism and the processing of HR or Pharmaceutical data.<br />
Additionally, how the Privacy Shield Principles are to be applied to data processors (Agents)<br />
requires further elaboration and special attention is needed to ensure a clear and unambiguous<br />
application of terminology.<br />
3. ASSESSMENT OF THE NATIONAL SECURITY GUARANTEES OF THE DRAFT<br />
ADEQUACY DECISION<br />
3.1 Safeguards and limitations applicable to U.S. national security authorities<br />
Interferences with the fundamental rights to private life and data protection may be allowable,<br />
provided that such an interference is justifiable in a democratic society. This means that the<br />
Privacy Principles are not absolute and that derogations may be possible, but only if the<br />
applicable (essential) guarantees are met. Consistent with the goal of enhancing privacy<br />
protection, organisations should moreover strive to implement the Principles fully and<br />
37 See WP20, p. 4<br />
33