A group of EU data protection regulators has announced a review of the recently agreed EU-US Privacy Shield, the international data transfer framework which is set to replace Safe Harbor.

As we recently reported (see here), the European Commission and the United States have reached an agreement on the successor to Safe Harbor, to be known as the EU-US Privacy Shield. The new framework is designed to reflect the requirements set out in the CJEU’s ruling in the Schrems case and will provide various redress mechanisms in order to uphold the fundamental rights of EU citizens.

The Article 29 Working Party (WP29) has determined that the following four guarantees should be respected when personal data is transferred outside the EU:

  1. Data processing should be based on clear, precise and accessible rules
  2. Data collection should be proportionate
  3. An independent oversight mechanism should be in place
  4. Effective remedies should be available to data subjects

The WP29 has stated that it will examine the Privacy Shield on the basis of these four guarantees. It hopes to receive the relevant documents relating to the Privacy Shield by the end of this month so that it can determine whether the Privacy Shield addresses the concerns raised by the CJEU in Schrems.

What happens now?

As it stands, transatlantic data transfers cannot take place under Safe Harbor as this mechanism has been declared invalid by the CJEU in Schrems. The WP29 has stated that Standard Contractual Clauses and Binding Corporate Rules can still be used for data transfers to the US in the meantime.

It is expected that the European Commission and the US will formalise their agreement on the Privacy Shield over the coming weeks. The WP29 will then conduct a review to determine whether the Privacy Shield addresses data protection concerns. It remains to be seen whether the Privacy Shield is an acceptable solution to the issues highlighted by the Schrems judgment.

With the proposed EU-US Privacy Shield still some way off, businesses that previously relied on Safe Harbor in respect of data transfers to the US should implement an alternative data transfer solution in the meantime.