Privacy Shield

EU Data Protection Authorities Respond to Privacy Shield

As discussed in greater detail in EU-US Privacy Shield: Agreement on Transatlantic Data Flows, the European Commission and the US Government announced on February 2, 2016 an agreement on the EU-US Privacy Shield Arrangement to replace the US-EU Safe Harbor, which the Court of Justice of the European Union struck down in its Schrems decision on October 6, 2015.  Although the texts for the Privacy Shield have yet to be released, the Article 29 Working Party of EU data protection authorities issued a statement in response.  The Working Party states that it will withhold judgment on the Privacy Shield until the specifics are made available, but notes that it will also be considering the implications of the Schrems decision on whether existing transfer mechanisms, such as the Standard Contractual Clauses and Binding Corporate Rules, can still be used for personal data transfers to the US, although such mechanisms should be considered acceptable in the interim.

Article 29 Working Party Statement

The Working Party’s statement acknowledges the importance of the conclusion of the negotiations between European and US authorities and recognizes the efforts of US authorities over the last few years to strengthen the protections for personal data of non-US individuals. While the Working Party withholds making any judgments on the Privacy Shield until the specific terms of that program are made available to it for review, the Working Party used the statement to reiterate its broader concerns about transfers to the US and whether the current US legal framework meets EU standards for processing of personal data, particularly with regard to the scope of the processing and available remedies to non-US individuals.  Accordingly, the statement indicates that the Working Party intends to complete an assessment of "all personal data transfers to the U.S." at a meeting to be scheduled in the coming weeks to determine whether any of the currently recognized cross-border transfer mechanisms, such as the Standard Contractual Clauses and Binding Corporate Rules, can be used for personal data transfers to the US.  The terms of the Privacy Shield will be analyzed as part of that process.  In the interim time, the Working Party makes clear in the statement that it considers that such mechanisms (other than the invalidated Safe Harbor arrangement) can be used. 

Background on The Article 29 Working Party

The Article 29 Working Party was established by the European Data Protection Directive (95/46/EC) and launched in 1996.  It is composed of one representative of the data protection authority of each EU Member State, the European Data Protection Supervisor and a representative of the European Commission.  The role of the Working Party is advisory in nature, meaning that its opinions are non-binding on the European Commission and individual data protection authorities (although Working Party opinions are generally given quite a lot of weight and should, therefore, should be carefully considered).  As such and with regard to the Working Party's role in the implementation of the Privacy Shield, the European Commission is now tasked with preparing a draft adequacy decision for the arrangement that will be submitted to the Working Party as well as the Parliament for advice and non-binding opinion, and then the draft decision will be considered by the Article 31 Committee of Member State Representatives for approval.

What Should Companies Be Doing Now?

During this interim time while the draft Privacy Shield decision is prepared and considered by EU authorities, companies should examine the texts of the Privacy Shield once released, and consider whether or how they could comply with such requirements.  Companies should also continue to stay the course in pursuing appropriate data transfer and data processing agreements, and avoid statements on public websites that Safe Harbor is their only mechanism to address cross-border data transfers.  In addition, companies should monitor updates from the European Commission, the Working Party, and individual data protection authorities regarding cross-border transfer mechanisms, transition periods and enforcement.

Contributors - Michael Egan, Brian Hengesbaugh,  Amy de La Lama