The Article 29 Working Party (WP 29) published their initial response to the new Privacy Shield yesterday.

Here’s the good news:

  • WP 29 welcomes the conclusion of negotiations by the deadline (actually, the deal was announced on Tuesday which is a couple of days late but let’s overlook that).
  • WP 29 looks forward to receiving the relevant documents to analyse the detail. They want to look at the content and legal bindingness of the arrangement to assess whether it deals with the risk of massive and indiscriminate surveillance (as per the Schrems judgment).

Here’s another interesting development:

  • WP 29 has been assessing the current legal framework and practices of US intelligence and has decided on 4 “essential guarantees” that will be required: (a) clear, precise and accessible rules on surveillance; (b) access to be proportionate at all times; (c) independent oversight mechanism (judge/independent body); and (d) effective remedies.

Next Steps

The Commission now has to deliver on the detail. It will communicate all documents pertaining to the new arrangement to WP 29 by the end of February.  WP 29 will then run its assessment on the Privacy Shield proposal (it’s not the law yet).  It will also review other transfer mechanisms such as model clauses and BCRs.

What does this mean for business now?

  • Don’t rely on the Privacy Shield just yet. It’s not an “adequacy decision” and the detail needs to be provided and assessed.
  • Ensure data transfers are either covered by model clauses or BCRs or one of the other derogations.
  • As we recommended previously: do a “fact find” (to identify what data is collected and shared, data flows, data centres and purposes of onward transfer);
  • Consider prioritising data flows to ensure that model contracts are applied to the important data flows as early as possible;
  • Unless an alternative transfer mechanism in place, there is a risk of enforcement action. WP 29 is clear that you can no longer rely on old Safe Harbor.