In October last year the Court of Justice of the European Union declared unlawful the “Safe Harbor” arrangements for personal data transfers between the EU and US. Until that court ruling, the Safe Harbor was heavily relied on to protect transfers of individuals’ personal data from the EU to the US.
The Article 29 Working Party (representing all EU Data Protection regulators – WP29) had imposed a deadline of 31 January 2016 for EU and US authorities to find a replacement solution that would be compliant with EU law. That deadline has been missed. The EU authorities have made progress, but have yet to finalise a deal, leaving business in a state of ongoing uncertainty.
An EU Commission press release on 2 February outlined the terms of a potential solution, the “EU-US Privacy Shield” saying that:
“The new arrangement includes commitments by the U.S. that possibilities under US law for public authorities to access personal data transferred under the new arrangement will be subject to clear conditions, limitations and oversight, preventing generalised access. Europeans will have the possibility to raise any enquiry or complaint in this context with a dedicated new Ombudsperson.”
But WP29 wants to see the details before approving the deal. It has commented on the proposal:
“The WP29 calls on the Commission to communicate all documents pertaining to the new arrangement by the end of February. The WP29 will then be in position to complete its assessment for all personal data transfers to the U.S. at an extraordinary plenary meeting that will be organized in the coming weeks. After this period, the WP29 will consider whether transfer mechanisms, such as Standard Contractual Clauses and Binding Corporate Rules, can still be used for personal data transfers to the U.S. In the meantime, the WP29 considers that this is still the case for existing transfer mechanisms.”
What this announcement makes clear is that WP29 is not confining itself to the Safe Harbor. It has also been looking at the other mechanisms relied on for data transfer - Standard Contractual Clauses and Binding Corporate Rules. WP29 has concerns about these methods too.
“Even though the WP29 certainly recognises the efforts of the U.S. in 2014 and 2015 to improve the protection of the data of non-U.S. persons, it still has concerns on the current U.S. legal framework as regards the four essential guarantees, especially regarding scope and remedies.”
So a satisfactory deal with the US authorities needs to be struck not only for a new Safe Harbor, but also, once WP29 has completed its review, to give continuing protection under the other widely used methods for transatlantic data flows.