On February 2, the potential replacement to the invalidated Safe Harbor data transfer mechanism, the EU-US Privacy Shield, was announced by the European Commission and the US Department of Commerce, as we covered here. However, while organizations and representatives on both sides of the Atlantic welcomed the conclusion of the negotiations on Tuesday, the true substance of the Privacy Shield is yet to come.
A Deal Without the Details
Present details are scant on what will appear in the finalized agreement. Since the announcement, the Commission released a press release, the Department of Commerce shared a fact sheet, the Article 29 Working Party (WP29) released an official statement calling for four essential guarantees for intelligence activities, and multimedia events answered some questions, but these are only superficial outlines of the intent and mechanisms of the deal.
Over the coming weeks, European Commission Vice-President Andrus Ansip and Commissioner Vera Jourová will draft a full adequacy decision to replace Safe Harbor, a decision that will face multiple challenges from the scrutiny of business interests, privacy advocates, the European data protection authorities (DPAs) of the Article 29 Working Party, and the Court of Justice of the European Union (CJEU).
However, we have information on what should appear in the Privacy Shield. According the CJEU, the new adequacy decision must “ … find, duly stating reasons, that [the U.S.] in fact ensures, by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order,” which was absent from the original Safe Harbor. The key tenet to look for in the new decision to withstand the CJEU is an emphasis on national security, public interest, law enforcement requirements, and regulations against interference of fundamental rights for the benefit of EU citizens. The protections under the EU-US agreement must be equivalent in effect to those provided by EU law.
EU data privacy watchdog and president of the Article 29 Working Party Isabelle Falque-Pierrotin summed up the current situation during the WP29 press conference on February 3: “We can’t just accept words. It's difficult to come to a conclusion when you're facing political will but no real documents.”
Meanwhile, Across the Atlantic
The European Commission has until the end of February to provide WP29 with all relevant documentation. The Working Party will then hold a plenary meeting to consider all issues relating to personal data transfers to the US and analyze the adequacy decision. Any adequacy decision adopted by the Commission is binding upon EU member states and their DPAs until revoked or declared invalid by the CJEU.
In the US, FTC Commissioner Julie Brill has called upon Congress to pass the Judicial Redress Bill, which would give EU citizens the right to challenge misuse of their personal data in US courts, a right US citizens already enjoy in Europe. The FTC will not change the way it enforces privacy cases, but will improve cooperation with EU DPAs.
While We Wait
Companies can continue transferring personal data to the US under legal, alternative means such as binding corporate rules (BCRs) and standard contractual clauses while European DPAs wait for and analyze the content of the arrangement. Currently, these data transfers will not be shut down before the new Privacy Shield goes into effect, and previous Safe Harbor companies will be given a transition period to review and comply with the Privacy Shield. Using the former Safe Harbor framework is illegal.