On February 2nd, 2016, the EU and U.S. officials reached a political agreement on a new framework for transatlantic data flows called "EU-US Privacy Shield". You may be thinking: "That's it!" a new solution has been found. Just keep on reading… you'll see that it's far from being a done deal.
The following day (on February 3rd, 2016) the Article 29 Working Party ("WP 29") released a public statement on the consequences of the EU Court of Justice's decision invalidating Safe Harbour and gave a high level opinion on the political agreement that that was agreed yesterday.
The key points of this statement are summarized below:
- The WP29 welcomes the conclusion of the negotiations between the EU and US introducing a new "EU-US Privacy Shield" but it has not yet received a copy of this political agreement and is waiting to receive the relevant documents in order to verify the legal bindingness of this arrangement and to assess whether it complies with the Court's decision on Safe Harbour.
- The WP 29 still has "concerns" regarding the current US legal framework (in particular the practices of US intelligence) and therefore has set forth four "essential guarantees" for intelligence activities that are meant to comply with EU fundamental rights.
1/ Processing should be based on clear, precise and accessible rules: this means that anyone who is reasonably informed should be able to foresee what might happen with her/his data where they are transferred;
2/ Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated: a balance needs to be found between the objective for which the data are collected and accessed (generally national security) and the rights of the individual;
3/ An independent oversight mechanism should exist, that is both effective and impartial: this can either be a judge or another independent body, as long as it has sufficient ability to carry out the necessary checks; and
4/ Effective remedies need to be available to the individual: anyone should have the right to defend her/his rights before an independent body.
- The WP29 has given the EU Commission until the end of February to send it all the relevant documents concerning the EU-US Privacy Shield.
- Once the WP29 receives all the documents, it will be in a position to complete its assessment "for all personal data transfers to the US" (not just those that are based on the EU-US Privacy Shield) and, to this end, will reconvene in an extraordinary plenary meeting in the coming weeks to decide whether its concerns regarding the US legal framework can be alleviated following the introduction of EU-US Privacy Shield and to what extent this new arrangement provides legal certainty for other data transfer tools (i.e., EU standard contractual clauses and BCR).
- But in the meantime, the WP29 does consider that "this is still the case for existing transfer mechanisms" meaning that companies can continue to rely on the EU Standard Contractual Clauses and Binding Corporate Rules to transfer personal data to the US.
- WP29 also recalls that since the Schrems decision, companies can no longer transfer data to the US on the basis of Safe Harbour and the EU data protection authorities "will therefore deal with related cases and complaints on a case-by-case basis" meaning that enforcement actions are no longer excluded.
So where does that leave businesses? And what are the consequences for companies who are currently transferring personal data to the US?
First, we haven't yet seen the political agreement that was agreed between the UE and U.S. Therefore, we cannot make any comments on what it actually says.
What we do know, however, is that the Safe Harbour legal framework as we knew it before the Max Schrems decision no longer exists. The name "Safe Harbour" has been replaced by "EU-US Privacy Shield" (strange choice of name, if you ask me, as if it justified the fact that EU citizens do need to be shielded against potential threats coming from outside Europe). We'd expect that this new framework will be based on similar principles to those that existed under the Safe Harbour framework, however, this is an entirely new agreement and so any comparisons with Safe Harbour should be avoided.
Second, even though the EU and U.S. political leaders have miraculously succeeded in reaching an agreement (nearly) before the deadline that was imposed by the WP 29, this is not a legally binding document (it's just a political agreement) and there are still a few hurdles along the way before it comes into force. To begin with, the EU-US Privacy Shield must now be drafted in the form of an "adequacy decision" by the EU Commission and adopted by the college of EU Commissioners after obtaining the advice of the WP 29 and after consulting a committee composed of representatives of each EU Member State. Pfew! That's quite a mouthful. The key point is: this will take a while (possibly several months).
Third, the biggest hurdle that lies ahead is whether this adequacy decision will be approved by the EU DPAs who, since the Max Schrems decision, are significantly empowered and could simply veto the whole text. It is fair to assume that if the WP 29 does not back up this text unanimously, the EU-US Privacy Shield will never see the light!
Assuming it is validated by the WP 29, some very practical issues could still impede the success of the EU-US Privacy Shield:
- Will the EU-US Privacy Shield have the necessary support of the business community to thrive and survive? Following the invalidation of Safe Harbour, the trust that companies had put into Safe Harbour is seriously diminished and companies will think twice before certifying to a new transatlantic data transfer framework?
- Is the Safe Harbour certification process still valid under the EU-US Privacy Shield, or will the 4,000 U.S. companies who certified to Safe Harbour have to go through the entire self-certification process again? The chances are that it will be the latter.
- Assuming the EU-US Privacy Shield is finally validated by the WP 29 and comes into force, national DPAs will carefully review and scrutinize any requests they receive from EU controllers to approve their transfers of personal data to the U.S. and will not risk damaging their reputation (or violating the Court of Justice's decision) if they think there is the slightest chance that such transfers may violate EU law. This will put huge pressure on companies and some DPAs may simply refuse to authorize transfers on the grounds that the EU-US Privacy Shield is not sufficiently protective of EU fundamental rights.
- The EU-US Privacy Shield is not, and will never be a means for transferring personal data globally and, on the contrary, will be limited to transfers of data between the EU and the US. This should get international organizations seriously thinking about their global data transfer strategy, especially in light of how global IT networks and systems now operate. DPAs will be much more attentive to the fact that US companies have used Safe Harbour in the past as a gateway for transferring personal data globally and will do everything in their power to prevent this from happening again.
- The very survival of the EU-US Privacy Shield is at stake from the day it comes into force because all the spotlights will be turned towards U.S. companies and the United States to make sure they are effectively complying with the principles of the EU-US Privacy Shield and EU law. If there is the slightest doubt that this is the case, all trust will be lost – for ever, and not just for the EU-US Privacy Shield but for transatlantic data flows as a whole. If you ask me, this "Privacy Shield" had better be rock solid!
In summary, to all companies who are wondering what they should be doing now:
- Sit back and hold tight. It's going to take several more weeks (or months) before the EU-US Privacy Shield is officially adopted and comes into force (if ever it does).
- At this point, it is still highly uncertain whether the WP 29 will validate the EU-US Privacy Shield given the difficulty the EU DPAs are facing to reach a common position.
- In the meantime, companies should put in place alternative and safer legal mechanisms (i.e., EU model clauses or BCR) for transferring their data to the U.S., and more generally, for transferring their data globally.
- And finally, companies should be thinking ahead about how to comply with the General Data Protection Regulation which is where the real challenge lies.
By Olivier Prosut, of Counsel, Privacy Security & Information (firstname.lastname@example.org)