The EU Commission has announced political agreement on the formation of a new transatlantic data transfer regime, the EU-US Privacy Shield (Privacy Shield) to replace Safe Harbor.

Since the CJEU's judgment on 6 October 2015 in the case of Maximillian Schrems v Data Protection Commissioner where the EU-US Safe Harbor regime was declared invalid (see my previous editorial on the Schrems decision here), discussions have been ongoing between the EU and US in an attempt to establish a new and more resilient regime for transferring personal data across the Atlantic. 

The European Commission and US were given until the end of January to find an appropriate solution with the European Data Protection Supervisor and Working Party 29 warning that failure to resolve issues raised in Schrems concerning the indiscriminate monitoring of EU citizens by US authorities would result in Working Party 29 considering the validity of all transfers to the US, including those made under model clauses and binding corporate rules.

Companies were given no choice but to hastily look to replace contracts previously reliant on Safe Harbor with model clauses agreements. Working Party 29 announced that transfers based on Safe Harbor were no longer valid but announced that no enforcement action would be taken until the end of January, the implication being that companies who did not take action to put alternative mechanisms in place would be subject to such enforcement once the January deadline had passed. However, the elephant in the room remained: the reasons why Safe Harbor was declared invalid in Schrems were equally applicable to the other mechanisms for transferring personal data to the US. Working Party 29 used this fact to their advantage in imposing the end of January deadline on the Commission and the US, as the alternative would have been that all data transfers to the US would need to be suspended.

The Privacy Shield solution, hastily announced on the 2 February, claims to provide Europe with its required assurances that the access of US public authorities for national security purposes will be subject to limitations, safeguards and oversight mechanisms. However details on how this is to be achieved are sketchy at best at present and it is not entirely clear how effectively this new regime will address the chasms highlighted by the downfall of Safe Harbor.

Working Party 29 reaction

Following the announcement, Working Party 29 published a statement explaining that they will delay their discussion on transfers to the US under model clauses and binding corporate rules until they have been given more detail on the Privacy Shield. They have asked to receive final drafts of the proposal within 3 weeks, allowing them to work towards a final decision on US data transfers. They have agreed that transfers to the US under model clauses and binding corporate rules will remain valid until then, and have set out the four "guarantees" that must be met in order to transfer data outside Europe under any mechanism and to any country. These are:

  • Data processing must be based on clear, precise and accessible rules;
  • The objectives pursued must be necessary and proportionate;
  • An independent and effective oversight mechanism must exist; and
  • Effective remedies must be available to the individual.

As such Working Party 29 will be undertaking further analysis of the agreement in the context of Privacy Shield and in respect of other transfer mechanisms.

Actions to be taken now

If there was any hope in your mind as to whether Safe Harbor would live to fight another day that should now be dismissed. If its replacement survives Working Party 29 scrutiny, the Privacy Shield is unlikely to be available until the summer or autumn and the Working Party 29 has confirmed that transfers still reliant on Safe Harbor are illegal.

Therefore, although there is no guarantee that model clauses and binding corporate rules will survive Working Party 29's April scrutiny, companies have little choice but to put these alternative mechanisms in place for the time being if they wish to continue to use vendors in the US without fear of enforcement action. Alternatively, companies could relocate services to the EU, a trend we have noticed from a number of large cloud providers.