The EU Commission and the US have agreed on a new framework for transatlantic data flows, named "the EU-US Privacy Shield". This, however, does not mean that recent efforts of companies to for example enter into Standard Contractual Clauses asap, as an alternative to transfer data to US safe harbour subscribing companies, were made in vain.
The EU data protection advisory body Article 29 Working Party (WP 29) welcomes the fact of the conclusion of the negotiations within the deadline set in its statement of 16 October 2015, yet for now does not assess whether this shield can answer the concerns raised by the Schrems judgement in relation to international transfers of personal data. The WP 29 will do so upon receipt of all the documents pertaining to the EU-US Privacy Shield which it has requested to receive by the end of February. Further to this assessment, the WP 29 will then also consider whether transfer mechanisms, such as Standard Contractual Clauses (SCC) and Binding Corporate Rules (BCR), can still be used to transfer personal data to the US.
New framework for transatlantic data flows
The EU Commission published a press release on 2 February 2016 announcing a new framework for transatlantic data flows protecting the fundamental rights of Europeans where their data is transferred to the US and ensuring legal certainty for businesses.
The key elements of this new framework are:
- Strong obligations on companies handling Europeans' personal data and robust enforcement;
- Clear safeguards and transparency obligations on US government access;
- Effective protection of EU citizens' rights with several redress possibilities.
To be or not to be?
The WP 29 will, upon receipt of all the documents pertaining to the EU-US Privacy Shield from the EU Commission, assess the EU-US Privacy Shield in light of the European jurisprudence on the basis of the following four guarantees:
- Processing should be based on clear, precise and accessible rules: this means that anyone who is reasonably informed should be able to foresee what might happen with his/her data where they are transferred;
- Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated: a balance needs to be found between the objective for which the data are collected and accessed (generally national security) and the rights of the individual;
- An independent oversight mechanism should exist, that is both effective and impartial;
- Effective remedies need to be available to the individual.
Maximilian Schrems, who introduced the claim on the basis of which the CJEU declared the Safe Harbor invalid, doubts that the EU-US Privacy Shield will stand the fundamental rights test and has already mockingly renamed the EU-US Privacy Shield on its Twitter account as "Safe Harbor 1.1".
Further to this assessment, the WP 29 will consider whether the current transfer mechanisms (SCC & BCR) can still be used for personal data transfers to the US.
In terms of timing, the WP 29 has requested the EU Commission to be provided with the documents pertaining to the EU-US Privacy Shield by the end of February. The EU Commission will meanwhile already prepare a draft "adequacy decision" in the coming weeks, which could then be adopted by the College of Commissioners after obtaining the advice of the WP 29 and consulting a committee composed of representatives of the Member States.
In the meantime, the WP 29 considers that the SCC and BCR can still be used for existing transfer mechanisms of personal data to the US and recalls that such transfers cannot take place on the basis of the invalidated Safe Harbor decision.