In response to the February 2, 2016, announcement by the European Commission (the "Commission") and the U.S. Commerce Department of a new framework, called the "Privacy Shield," to replace the invalidated U.S.-European Union ("EU") Safe Harbor Framework for cross-border data transfers,1 the EU's top data protection regulatory body, the Article 29 Working Party (the "Working Party"), issued a statement expressing reservations and providing limited guidance for U.S. multinational employers. The Working Party's Statement, issued on February 3, 2016, demonstrates that the regulatory environment surrounding transfers of personal data between the U.S. and the EU remains fraught with uncertainty and risk.
The Working Party's Statement
In its Statement, the Working Party sent an unequivocal reminder that U.S. multinational employers can no longer rely on the Safe Harbor to legitimize the transfer of EU employees' personal data to the United States. The Working Party declared, "[T]ransfers to the U.S. cannot take place on the basis of the invalidated Safe Harbor decision." To drive the point home, the Working Party also emphasized, "EU data protection authorities will . . . deal with . . . complaints on a case-by-case basis." In other words, the grace period on enforcement that effectively had been in place since October 6, 2015, when the European Court of Justice invalidated the Safe Harbor, is over.
The Working Party also expressed its intention to scrutinize whether the Privacy Shield provides an adequate level of protection for personal data transferred from the EU. To that end, the Working Party called on the Commission to provide for review by the end of February the documentation that supports the Privacy Shield agreement, which the Commission described only in outline form on February 2, 2016. The Working Party announced its plan for an "extraordinary plenary meeting . . . in the coming weeks" to assess whether the Privacy Shield alleviates the regulators' "concerns regarding the U.S. legal framework."
The Working Party provided assurances that during this period of review and assessment "transfer mechanisms, such as Standard Contractual Clauses [[the 'Clauses')] and Binding Corporate Rules [('BCRs')] can still be used for personal data transfers to the U.S." The Clauses are form data transfer agreements approved by the Commission. BCRs are internal data processing rules binding on all members of a global corporate group to permit intragroup transfers of personal data. Although the Working Party blessed both transfer tools as interim measures, it also noted it has been evaluating "the robustness of . . . [these] transfer tools" to protect "the European right to respect for private life and data protection" against "unjustified interference" by U.S. intelligence agencies. Furthermore, these tools will continue to be assessed along with the Privacy Shield. In other words, the Working Party has issued a veiled warning that virtually all transfers of EU personal data to the United States are at risk.
Recommendations For Employers
The Working Party's Statement reaffirms the validity of the recommendations made in our ASAP referenced in Footnote 1. In summary, U.S. multinational employers should (a) closely watch for further guidance on the Privacy Shield from the Commission and for pronouncements from the Working Party and local European data protection authorities regarding the Privacy Shield; (b) continue to comply with their obligations under the Safe Harbor with respect to previously transferred personal data to avoid enforcement actions by the Commerce Department or Federal Trade Commission, which consider the safe Harbor as still binding on certifying companies; (c) consider implementing the Clauses — at least on an interim basis — and applying their data protection principles to the extent those principles supplement the Safe Harbor to previously transferred personal data; and (d) assess whether the Privacy Shield is an attractive alternative to the Clauses.