The progress of the EU-US Privacy Shield has been uncertain for the last few months. However, recent developments have clarified the situation somewhat, and it appears that a formal Adequacy Decision could be issued by the European Commission as early as June, barring any objections or procedural delays.
On 2 February 2016, the European Commission (the “Commission”) announced an agreement with the US government on a new mechanism which will replace Safe Harbor and provide a lawful basis for transatlantic transfers of personal data: the EU-US Privacy Shield. It was necessary to negotiate a new transfer mechanism after the Court of Justice of the EU (the “CJEU”) decided in October last year that the Commission’s previous Adequacy Decision regarding Safe Harbor was invalid. As a result, Safe Harbor no longer provides a lawful mechanism for transferring personal data from the EU to the US.
As we previously noted, at the time of the Commission’s announcement, there was no clear timeline for finalising the Privacy Shield framework and the Commission’s new Adequacy Decision. Consequently, businesses that had been relying on Safe Harbor as a mechanism for transferring personal data from the EU to the US have been left in limbo for the last few months, with the threat of enforcement from EU Data Protection Authorities (“DPAs”) hanging over them. However, it now appears that that period of uncertainty may end in June, when it is hoped that the Commission’s Adequacy Decision on the Privacy Shield will be finalized.
Timeline and next steps
Four weeks after announcing the new Privacy Shield framework, the Commission published a number of documents providing further details, including a draft Adequacy Decision, which we explored at greater length in the Article mentioned above. The next steps in the process of finalising the Privacy Shield are as follows:
- Opinion of the WP29 – The Commission has presented its draft Adequacy Decision to the Article 29 Working Part (the “WP29”), an EU advisory body comprised of representatives from national DPAs of the EU Member States. The WP29 is in the process of analysing the legal texts comprising the Privacy Shield arrangement and the Commission’s draft Adequacy Decision, and is expected to publish an opinion at its next plenary meeting which is scheduled to take place on 12 and 13 April 2016. In its analysis, the WP29 will assess the level of protection afforded by the Privacy Shield to personal data that are transferred from the EU to the US. The Chair of the WP29, Isabelle Falque-Pierrotin, stated in a hearing at the European Parliament’s LIBE Committee on 17 March 2016 that the review of the documents is ongoing, and that the WP29 is looking at all relevant aspects, including the issues of transatlantic trade, access by US authorities to personal data, and the impact of the forthcoming General Data Protection Regulation (the “GDPR”). It remains uncertain whether the WP29 will give a favourable opinion on the Privacy Shield.o
- Opinion of the EDPS – In addition to the WP29, the Commission has also consulted Giovanni Buttarelli, the European Data Protection Supervisor (the “EDPS”). The EDPS is a member of the WP29, and therefore it was not surprising that the EPDS stated that he will issue his opinion in alignment with the WP29. It can be expected that this will be shortly after the WP29 publishes its opinion.
- Opinion of the European Parliament – The European Parliament will also assess whether the Privacy Shield provides adequate data protection for EU citizens whose personal data are transferred to the US. However, based on the strong criticisms that a number of Members of the European Parliament have voiced with respect to the Privacy Shield, it appears that significant disagreement and scepticism remain. The Parliament will begin its assessment on 7 April 2016 and provide its opinion before the Commission issues an Adequacy Decision.
- Opinion of the EU Member States – The Commission is also awaiting the opinion of the Committee established by Article 31 of the Data Protection Directive 95/46/EC (the “Art. 31 Committee” – which is composed of representatives of the EU Member States). The Art. 31 Committee will review the opinion of the EDPS before issuing its own opinion. If the Art. 31 Committee is in favour of the Commission’s proposals, the Commission may proceed. However, if the Art. 31 Committee rejects the Commission’s proposals, then the process is more complicated, with an immediate three-month pause, during which time the matter is referred to the EU’s Council of Ministers (which is made up of representatives of the Governments of EU Member States) to resolve.
- Final Adequacy Decision by the Commission – Assuming that the Art. 31 Committee approves the Commission’s proposal, the final step is for the Commission to finalise its Adequacy Decision regarding the Privacy Shield. At the CeBIT trade fair in Hamburg on 14 March 2016, EU Digital Commissioner Günther Oettinger stated that the goal is for the Commission to finalise its Adequacy Decision in June, in line with what other Commission officials have previously indicated. Once the Commission issues its final Adequacy Decision, an EU organisation that wishes to transfer personal data to the US will be able to lawfully transfer those data to any US organisation that is certified under the Privacy Shield. Of course, it may take some time for US organisations to complete the certification process, and so the Commission’s final Adequacy Decision is unlikely to be an overnight fix.
Businesses that transfer personal data from the EU to the US have been under a cloud of uncertainty since October. On the one hand, the WP29 (and, to varying degrees, national DPAs) have made noises about taking enforcement action against businesses that continue to rely on Safe Harbor as a mechanism for transferring personal data to the US. On the other hand, the cost and administrative burden of implementing alternative data transfer mechanisms (e.g., Model Clauses or Binding Corporate Rules) can be considerable, and there is also a danger that those mechanisms could be challenged in the same way that Safe Harbor was. Consequently, businesses face risks and uncertainty in all directions.
It is hoped that much of this uncertainty will be lifted in June, if the Commission is able to issue a final Adequacy Decision in favour of the Privacy Shield by then. However, as noted above, it remains unclear whether the opinions of the various committees and institutions will support the proposed Privacy Shield. In addition, if the Commission does issue an Adequacy Decision in favour of the Privacy Shield, various privacy activists have threatened to challenge that Adequacy Decision through the courts. Consequently, the state of uncertainty is likely to prevail for a while longer, and businesses should prepare themselves for the fact that final resolution of this issue may not be achieved for several months.