In its recent Report on the Privacy Shield, the Article 29 Working Party (WP29) recognised the progress of the Privacy Shield in comparison with the invalidated Safe Harbour, and the efforts made by the U.S. authorities and the Commission to implement the Privacy Shield. However, the WP29 identified a number of concerns. Like the European Commission (EC), in its first annual review of the EU-US Privacy Shield, the WP29 called for the appointment of a permanent Privacy Shield Ombudsperson (and further explanation of the rules of procedure including by declassification), and filling the remaining positions on the Privacy and Civil Liberties Oversight Board (PCLOB). The WP29 requested these concerns to be prioritised and addressed prior to 25 May 2018, when the GDPR comes into force.
The WP29 further called for clear guidance on the Privacy Shield Principles, HR data and onward transfers, and increased supervision of compliance with the Privacy Shield principles. The US authorities are also requested to clearly distinguish the status of processors from that of controllers both at the time of their self-certification and at the time of further check. The WP29 demands these remaining issues to be resolved, at the latest, at the time of the next annual review of the Privacy Shield. If no remedies are brought to address the concerns raised by the WP29 within these time frames, the WP29 warned it will bring the Privacy Shield adequacy decision to the national courts for them to make a reference to the Court of Justice of the European Union (CJEU) for a preliminary ruling.