Model Contracts and BCRs Remain Viable (for Now)
The European Commission announced on February 2, 2016, that a political agreement has been reached on a new framework on transatlantic data flows. This announcement follows weeks of intense discussions by EU and U.S. officials and is the latest in a series of developments and reactions to the judgment of the Court of Justice of the European Union (CJEU) in the Schrems case which found the Commission Decision 2000/520 on Safe Harbor invalid. While the political agreement is welcomed, the level of uncertainty has not been reduced. It could take months for a new framework, referred to as the EU-U.S. Privacy Shield, to be established. The following day, the Article 29 Working Party added to the uncertainty by stating that it could not support the framework without a detailed review of the Privacy Shield and the existing data transfer mechanisms of EU Standard Contractual Clauses and Binding Corporate Rules, although they remain valid until the review is completed at the end of March.
The Commission’s announcement was made in a press conference in which Commissioner Jourová expressed the hope that the EU-U.S. Privacy Shield will enter into force within three months. The Commissioner identified three key elements of this new framework: (i) strong obligations on companies handling the personal data of Europeans coupled with robust enforcement; (ii) clear safeguards and transparency obligations on U.S. government access; and (iii) effective protection of the rights of EU citizens, with several redress possibilities. Following the CJEU invalidation of the Safe Harbor framework, the Article 29 Working Party set a deadline of January 31, 2016 by which the European Commission and the U.S. authorities should find “political, legal and technical solutions enabling data transfers to the [U.S.] that respect fundamental rights.” The Article 29 Working Party acknowledged in its guidance issued last October that this could in part be achieved through the implementation of what is now called the EU-U.S. Privacy Shield. The EU-U.S. Privacy Shield will take the form of an exchange of letters signed at what is described as the highest political levels, but it will not involve a treaty. According to the Commission, these legally binding commitments will ensure that the safeguards are essentially equivalent to those that exist in the EU. Following a summary of the status of the negotiations given by Commissioner Jourová on February 1, 2016, the members of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs questioned the legal effectiveness of an exchange of letters. During the press conference, Commissioner Jourová stressed that the new framework for transatlantic data flows will need to be able to withstand the inevitable next legal challenge, as the CJEU ruling was “used as a benchmark to formulate” the new framework. The Commissioner further confirmed that the new arrangement will include the following elements:
- U.S. companies participating in the EU-U.S. Privacy Shield will have to commit to “robust obligations on how personal data is processed and individual rights are guaranteed.” Activities will be monitored by the Department of Commerce and subject to enhanced enforcement by the Federal Trade Commission (FTC), and companies processing European human resources data will need to commit to comply with decisions by European Data Protection Authorities.
- The U.S. will give written assurances that for data transferred under the Privacy Shield: (i) public authorities’ access to personal data will be subject to clear limitations (i.e., what is strictly necessary and proportionate), safeguards and oversight mechanisms; (ii) there will be no indiscriminate mass surveillance except where tailored and targeted access is not operationally feasible or in the event of emergencies; (iii) safeguards will apply equally to non-U.S. citizens; and (iv) an Annual Joint Review Committee will be established to look at all aspects of the framework, including access by public authorities. The review will be conducted by the European Commission and the U.S. Department of Commerce, assisted by U.S. security and intelligence agencies and European Data Protection Authorities.
- In terms of individual redress with respect to surveillance, there will be an independent ombudsperson with a “real capacity to act” on individual complaints regarding possible access by national intelligence authorities.
- Unresolved complaints will be referred to a “last resort mechanism” involving a binding arbitration panel. To the extent the company cannot resolve the complaint, the complaint can be dealt with through an alternative dispute resolution procedure, the FTC or the Department of Commerce and, as a last resort, will be resolved by the arbitration panel. Use of this arbitration mechanism would give rise to an opportunity for judicial review under the Federal Arbitration Act.
- A suspension clause is included, and Commissioner Jourová said this will be exercised in the event the U.S. does not fulfill its commitments.
The press conference was held after the College of Commissioners mandated that the Commissioner and European Commission Vice President Ansip prepare a draft “adequacy decision” in the coming weeks — the start of the comitology process. Following advice from the Article 29 Working Party and consultation with a committee of representatives from the EU Member States, the College may then adopt the decision. On February 3, 2016, the Article 29 Working Party confirmed in a statement that EU Standard Contractual Clauses and Binding Corporate Rules are still valid data transfer mechanisms for the time being. In its statement, the Article 29 Working Party “welcome[d] the fact of the conclusion of the negotiations between the EU and the U.S. on the introduction of a EU-U.S. Privacy Shield.” However, the Working Party withheld its support of the Privacy Shield pending its ability to assess the relevant documents in the context of the CJEU judgment, of which it requested receipt by the end of February. The Article 29 Working Party has been holding hearings and discussions to assess the current legal framework and practice of U.S. intelligence services, which is to be assessed in light of European jurisprudence on fundamental rights that sets the “four essential guarantees for intelligence activities:” (i) processing should be based on clear, precise and accessible rules; (ii) the demonstration of necessity and proportionality; (iii) the existence of an independent oversight mechanism; and (iv) the availability of effective remedies for individuals. While the Article 29 Working Party confirmed that for the time being other data transfer tools (i.e., EU Standard Contractual Clauses and Binding Corporate Rules) are still valid, it stated that further analysis will be carried out in respect of these mechanisms in light of the new EU-U.S. Privacy Shield and, in particular, whether this new framework “will provide legal certainty for the other transfer tools.” An extraordinary plenary meeting of the Article 29 Working Party will be held towards the end of March, during which a decision will be made as to whether the EU-U.S. Privacy Shield meets the four essential guarantees for intelligence activities and respects the powers afforded to data protection authorities under the EU Data Protection Directive 95/46/EC. A decision will also be made at that time with respect to the ongoing validity of EU Standard Contractual Clauses and Binding Corporate Rules.