In October 2015 the EU’s highest court (the CJEU) found the longstanding EU-US data transfer framework – Safe Harbor – to be invalid. In the interim, both EU regulators and the European Commission moved to offer guidance and clarification. Within 2 weeks of the CJEU decision, EU regulators, in their collective grouping as the Article 29 Working Party (“WP29”), confirmed that both the European Commission Standard Contractual Clauses (“SCCs”) and Binding Corporate Rules (“BCRs”) remained valid methods to transfer data to the US. However, WP29 also indicated that coordinated enforcement may begin by end of January 2016.

This week, the 31 January deadline expired and WP29 convened a two-day meeting to discuss, among other issues, US data transfers. In parallel, the European Commission (“Commission”) issued a press release indicating that agreement had been reached with the US for a new framework to support data transfers. We take a look at these developments and what they actually mean.

What is the Privacy Shield?

On 2 February 2016, the Commission published a statement confirming that it and the United States had agreed, in principle, a new framework for EU-US data transfers. This has been dubbed the EU-US Privacy Shield (the “Privacy Shield”).

Relatively little is known about this framework so far. The Commission has indicated, however, that the Privacy Shield will include:

  • Strong obligations on US companies handing EU personal data;
  • Effective monitoring by the US Department of Commerce;
  • Robust enforcement by the Federal Trade Commission (“FTC”);
  • Clear safeguards and transparency obligations on US government access;
  • Limitations on US public authorities’ access, based on necessity and proportionality; and
  • Avenues for individuals seeking redress.

It is important to note that the announcement only signifies broad agreement between the parties. While the Commission suggests that the Privacy Shield will reflect the requirements set down by the CJEU, it is now up to certain Commission bureaucrats to actually draft the “adequacy decision”. The initial draft will take a number of weeks but it could be at least 3 months before the final version is agreed, published and adopted into law as a Commission Decision. The input of both WP29 and Member State representatives will be sought in revising and refining the draft and this may slow the process.

Together with more stringent obligations on US importers and increased options for EU individuals seeking redress, the announcement states, in particular, that the US has provided “written assurances” on public authorities’ access for law enforcement and national security. The US Department of Commerce (the “Department”) published a fact sheet providing some further insight on this. In particular, the Department indicated that the Privacy Shield will be “a living framework subject to active supervision”, involving annual meetings between the Department, the FTC and WP29. The Department also stressed that the assurances provided by “the US intelligence Community” involve oversight from all three branches of US government and constitutional, statutory and policy safeguards. This extent of these assurances is likely to be key to the success (or otherwise) of the Privacy Shield.

Regulatory reaction

Shortly after the Commission’s announcement, WP29 published its own press release following its two-day meeting. It stated that any new transfer framework should:

  • Set down clear, precise and accessible rules;
  • Limit authorities’ access to situations where necessary and proportionate;
  • Allow for an independent oversight mechanism; and
  • Provide effective remedies for individuals. 

Although welcoming the announcement, WP29 indicated it would reserve its position on whether the Privacy Shield could actually address the “wider concerns” raised by the CJEU last October. WP29 has called on the Commission to provide a draft by the end of February.

Aside from the Privacy Shield, WP29 also focused on the existing transfer mechanisms – SCCs and BCRs. In recent months, WP29 has been examining the robustness of these existing mechanisms, particularly in the context of US intelligence practices. According to WP29, the group “still has concerns” regarding the current US legal framework. The recent press release indicates that WP29 is eager to determine if the assurances obtained from the US in the context of the Privacy Shield can similarly apply to alleviate concerns around the validity of BCRs and SCCs for US importers. In the meantime, WP29 has confirmed that these current mechanisms can still be used for personal data transfers to the US.

WP29 is due to schedule a further meeting, potentially in mid-late March or early April, to consider if SCCs and BCRs remain valid mechanisms for US data transfers. WP29 has confirmed that complaints relating to US data transfers will be dealt with by DPAs on a case-by-case basis in the meantime.

What does this all mean?

On the US side, more needs to be done before the Privacy Shield can meaningfully operate. In particular, the Judicial Redress Act, which aims to confer the benefits of certain US laws on EU citizens, needs to be adopted. At present, this bill remains before the US Senate. Absent this bill becoming law, it’s hard to see how the Privacy Shield will withstand legal scrutiny in the EU.

On the EU side, the status quo remains – personal data can still be validly transferred from the EU to the US based on SCCs or BCRs. However, certain WP29 members have residual doubts about the on-going validity of these mechanisms for US data transfers, given concerns around the current US legal framework. One hopes that the majority of WP29 can be persuaded that the on-going progress being made in the US will serve to provide further support to the use of SCCs, in particular. It would be fairly bizarre if the Commission adopts the Privacy Shield based on improvements in the US regime, while at the same time WP29 questions other data transfer mechanisms which are affected by the same underlying developments.  

In terms of the Privacy Shield, the Commission’s adequacy decision is expected to take a number of months before it is adopted into law. WP29, in particular, is likely to closely scrutinise the draft with a specific focus on the written assurances supplied by the US. Both the viability of the Privacy Shield and the on-going validity of existing mechanisms for US transfer will heavily rely on the scope of these assurances. Watch this space.