The practical application of certain surveillance laws remains unclear from the privacy shield documents. Law must be accessible and some of the relevant underlying legal texts are classified.

The privacy shield documents do not rule out massive and indiscriminate data collection by the US government. This remains a major concern for the working party, although it notes that, pending a decision from the European Court of Justice in Tele2 Sverige AB v Post- och telestyrelsen and Secretary of State for the Home Department v Davis and others, there is no conclusive EU law on this issue (joined cases C-203 and C-698/15).

The privacy shield provides a new mechanism for EU individuals to submit requests in relation to US intelligence access to a privacy shield ombudsperson. The working party has concerns about the independence of the ombudsperson and whether he will have direct access to the information, files and IT systems required to make assessments and have powers to compel agencies to guarantee a satisfactory remedy. Some intelligence services, for example, the US Central Intelligence Agency, may fall outside the ombudsperson’s remit. The working party is also critical of other judicial remedies including: the need to demonstrate harm; exclusions for national security in the US Judicial Redress Act of 2014; and the fact that only US citizens can be protected by the Fourth Amendment of the US Constitution, which protects from unreasonable searches and seizures.

Key EU data protection principles are missing from the privacy shield, including the data retention principle, which ensures that data are deleted once the purpose for which they were collected or further processed becomes obsolete; and protections in relation to certain automated decision making.

Privacy shield holders should be obliged to assess the adequacy of a third country before any transfer. The privacy shield organisation should also be obliged to notify promptly any changes in the third-country legislation which is likely to have a substantial adverse effect on the level of protection provided by the privacy shield.

The redress principle has so many potential avenues that it could be difficult for individuals in the EU to know how to bring a complaint. In order to overcome language barriers and lack of knowledge of the US legal system, EU data protection authorities should be able to represent EU individuals and act on their behalf, or to act as an intermediary for the EU individual’s complaint.

The transitional arrangements are not acceptable; transfers should only take place from the moment of full compliance with the privacy shield principles.

More detail regarding the manner and timing of notice and choice should be included. There are inconsistencies between the choice and purpose limitation principles.

It is not clear how the privacy shield principles will apply to agents or data processors in EU terms. The privacy shield should make it clear which principles are relevant to processors and that processors may only follow instructions, including on onward transfer, from the data controller which has appointed them.

Inconsistent terminology in the privacy shield could lead to lack of clarity and gaps in coverage; for example, it is not clear if rights will benefit all persons residing in the EU, or EU citizens only. A glossary of terms is recommended.

There will be a joint review of the privacy shield by the US and EU. The working party would like more certainty of approach and of funding for its part in this process, and would like the joint review to be more thorough than the current reviews of transfer of passenger name records.

Without fuller knowledge of US law both at the federal and state level, the working party was not in a position to assess the exemptions provided for national security, public interest, law enforcement, or based on statute, government regulation or case law. The working party also requests clarification that public domain data should not be exempted completely and a narrower journalistic exemption to reflect the "right to be forgotten" principles established in Google Spain SL and Google Inc v Agencia Española de Protección de Datos and Mario Costeja González (C-131/12; see News brief "Google decision: the right to be forgotten").

The privacy shield does not meet the higher standards of the draft General Data Protection Regulation (GDPR) (see Briefing "General Data Protection Regulation: preparing for change", this issue). The privacy shield should be reviewed shortly after the GDPR comes into effect to bring the privacy shield in line with revised GDPR standards.