Following on from yesterday’s announcement regarding the political agreement of the EU-US Privacy Shield, to replace the Safe Harbor programme, European data protection authorities met today to be briefed on this. Their view at present seems to be cautiously optimistic.
The group, called the Article 29 Working Party, welcomed the political agreement but noted that it would like to see the documents describing the programme in more detail before coming to final conclusions, particularly regarding the findings of the Court of Justice of the European Union in the Schrems case (which brought down the Safe Harbor data transfer route). They have asked the European Commission to provide these by the end of February.
The Article 29 Working Party also noted that:
- continued use of the now illegal Safe Harbor programme could be subject to enforcement action on a case by case basis, by local regulators;
- they are reviewing the other data transfer routes (such as the Model Clauses and Binding Corporate Rules) to see if they also have concerns which need to be addressed – a special meeting of the Article 29 Working Party will be arranged to review this and the EU-US Privacy Shield in the coming weeks – but they confirmed that the Model Clauses and Binding Corproate Rules remain a suitable data transfer route until decided otherwise.
There are four esssential guarantees which the Article 29 Working Party considers should be in place for any intelligence activities:
- being clear about the rules which apply – so people understand what might happen to their data;
- the processing being necessary and proportionate – balancing societal need and national security against the rights of the individual;
- an indpendent oversight mechanism that is effective and impartial; and
- effective remedies – so individuals with complaints can have these issues considered by an independent body.
We will be watching for publication of the date of this new meeting, but in the meantime you should:
- understand your data flows and transfers;
- continue putting in place data transfer mechanisms which do not rely on Safe Harbor.