Two recent announcements from the European privacy sphere could be significant for companies that transfer personal data between the United States and European Union.
The European Parliament recently issued a resolution calling for the European Commission to reopen negotiations with the U.S. and seek “further improvements” on the draft EU-U.S. Privacy Shield arrangement for trans-Atlantic data transfers. In its resolution, the European Parliament expressed concern about the legal status of the “written assurances” provided by the U.S. around bulk collection of personal data and noted that the U.S. standards for such collection do not meet the stricter “necessity and proportionality” criteria required by the EU Charter of Fundamental Rights. Significantly, the resolution called for the Commission to “fully implement” the recommendations provided in the opinion of the Article 29 Working Party (comprised of EU data protection authorities), which also criticized the existing draft Privacy Shield. The European Commission is not bound by the European Parliament resolution or the Art. 29 Party opinion, but both put pressure on the Commission to revisit the Privacy Shield.
Separately, the Office of the Irish Data Protection Commissioner recently announced that it will ask the European Court of Justice (ECJ) to determine if multinational companies can continue to use model contractual clauses to transfer data between the U.S. and the EU. In a statement, the Commissioner confirmed that it will ask the Irish High Court for a referral to the ECJ as part of its investigation of a new grievance filed by Max Schrems, the Austrian student whose earlier complaint led to the ECJ’s decision to strike down the old Safe Harbor data transfer mechanism last October. Schrems’s new complaint concerns whether model contracts can still be relied on after the ECJ’s decision invalidating Safe Harbor, arguing that they suffer from the same flaws. Many companies have turned to model contracts as an alternative transfer method since the demise of Safe Harbor, particularly given the uncertainty around the proposed new Privacy Shield.
Tip: Watch this space for additional developments on both the Privacy Shield and the Ireland Data Protection Commissioner’s request for ECJ review of model contracts. In the meantime, both announcements serve as a reminder for companies to consider other mechanisms that may be appropriate for the transfer of personal data between the U.S. and Europe, including binding corporate rules.