The Judgment of the European Court of Justice of 6 October 2015 ("Schrems Case") left without legal cover data communications made by the European Union to American entities attached to the Safe Harbor Agreement. In recent months, companies affected by said Judgment have been obliged to choose other legal mechanisms that enable them to comply with data protection rules.
The Spanish Data Protection Agency and the Article 29 Working Party expressly noted that both the standard contractual clauses approved by the Commission and the Binding Corporate Rules remained valid.
However, from various spheres, it was encouraged to formalize as soon as possible a legal framework to replace the Safe Harbor.
Finally, after long negotiations, the European Commission announced on Tuesday, February 2, that it has reached an agreement with the United States regarding the conditions under which data transfers may be made to entities located in that country to ensure an adequate protection level.
The terms of the agreement, called "EU-US Privacy Shield", have not been made public yet. According to the press release provided by the European Commission, (i) the circumstances under which US authorities may access the data transferred will be limited, (ii) stricter obligations for member companies will be established and (iii) European citizens will be allowed to submit complaints through various channels.
It has been announced that, in the coming weeks, the "Adequacy Decision" will be drafted, which must be approved by the representatives of Member States, after consulting the European Data Protection Authorities.
For the time being, the Article 29 Working Party ("WP 29") has issued a statement that identifies four essential guarantees which, based on European case law, must be observed in international data transfers to the United States:
- Clear, precise and transparent rules to enable a reasonably informed person to know what treatment is given to his/her data.
- Necessity and proportionality in any access made to the data transferred.
- Existence of an independent authority or monitoring mechanism.
- Possibility of those affected to claim and defend their rights against an authority or control mechanism.
The WP 29 insists on the fact that international data transfers to the United States covered by the Commission Decision on Safe Harbor are not legal from the moment that Decision was declared invalid. It also points out that the national Data Protection Authorities must analyze case-by-case the complaints brought before them, which could theoretically affect the standard contractual clauses approved by the Commission and the Binding Corporate Rules.
The WP 29 has announced that it will publish a comprehensive analysis of the EU-US Privacy Shield in early March, once it has been given all the documents relating to the agreement. Even though the WP 29 continues to assert the validity of the contractual clauses and the Binding Corporate Rules, the analysis will include a review of both mechanisms.
In short, although the agreement between the European Union and the United States is a breakthrough, companies affected by the Judgment of the "Schrems Case" continue in the same situation, where there is still no real alternative to replace the Safe Harbor.