Further to the EU Commission press release on the “EU-U.S. Privacy Shield” and the Article 29 Working Party (WP29) statement illustrating that more discussions on the new arrangement are to come, the French CNIL (a) issued a press release February 4, and aligned with the WP29 on the concerns raised with this new framework, and (b) switched to enforcement mode, the first prominent target being Facebook.
The background of the “EU-U.S. Privacy Shield” From mid-October 2015 until now, the WP29 has deeply examined the “practices of U.S. intelligence and the conditions under which it allows any unjustified interference to the European right to respect for private life and data protection”. The WP29 confronted its analysis to requirements of the European case law related to the fundamental human rights, and highlighted essential guarantees that should be respected when transferring personal data from the EU to the United States. The WP29 then confronted its overall work with the new draft agreement of the “EU-U.S. Privacy Shield”. The French CNIL took on the same work on its own.
First concerns raised on the “EU-U.S. Privacy Shield” At first sight, both the WP29 and the CNIL are welcoming the negotiations between the EU and the United States on the “EU-U.S. Privacy Shield”, but they express their doubts concerning the rights of data subjects, in particular regarding the scope of the right to access their data, and the possibility of redress.
What’s next? The CNIL also stated that the EU Commission will hand over all the relevant documentation in the preparation of the “EU-U.S. Privacy Shield” to the WP29 by end of February 2016. The WP29 will then continue its assessment and will publish its analysis in April 2016.
In the meantime, the CNIL, in line with its previous recommendations, enjoins companies to use alternative legal framework, such as the use of EU Model Clauses or Binding Corporate Rules.
The CNIL has switched to enforcement mode In its press release, the CNIL once again reminds companies that transfer of data to the United States based on the Safe Harbor framework is illegal, and stated again the necessity to choose alternative frameworks for data transfers to the United States. What the CNIL did not state in the press release, but made clear in another one, is that it has started to implement enforcement measures.
The WP29, as well as the CNIL, had set forth that January 31, 2016, would be the compliance deadline for the implementation of such alternative frameworks.
On February 8, it issued a press release in which, among other issues, it outlined that Facebook, which had based their data transfers to the United States on Safe Harbor, had not remediated in time to the invalidation of this framework. The CNIL announced that it was therefore undergoing enforcement measures.
In case of non-compliance with the requirements related to the transfer of data outside of the EU, the CNIL can notify the data controller to suspend the transfer and to take appropriate corrective actions. If the company persists in violating the French regulation, it risks sanctions of up to a five-year imprisonment and a fine up to €300,000.
It is not only the CNIL that is likely to start enforcement actions against organisations previously certified to Safe Harbor, and the timeline given as an estimate for finalisation of the Privacy Shield does not mean that an additional grace period applies. Organisations that have not yet determined the method they will use for data transfers should not tarry.