On February 3, 2016, the Article 29 Working Party, the EU body representing the data protection authorities (DPA) of each EU member country, announced that all of the DPAs across the EU have agreed to extend the current moratorium on enforcement action regarding transatlantic data transfers until they have had time to scrutinize the EU-U.S. Privacy Shield data transfer program. EU and U.S. officials agreed to the Privacy Shield on February 2, 2016, to replace the Safe Harbor framework, which the European Court of Justice invalidated on October 6, 2015.
However, Isabelle Falque-Pierrotin, the Chairman of the Article 29 Working Party, warned that companies that continue to rely solely on the previous EU-U.S. safe harbor framework during the moratorium may be subject to enforcement actions by the DPAs depending upon individual DPAs and whether those DPAs receive any complaints: "If companies are using the former safe harbor framework it is illegal because this has clearly been invalidated by the judges [at the European Court of Justice]."
To avoid possible enforcement action, Falque-Pierrotin added, "We will allow data controllers to use the [alternative] existing transfer tools until we have conducted and finalized the assessment of the new [Privacy Shield]." Existing transfer tools include binding corporate rules (BCR) and standard contract clauses (SCC) approved by the European Union.
Falque-Pierrotin said the Article 29 Working Party expects to receive the final text of the Privacy Shield in time for the Working Party's scheduled meeting at the end of March. However, it is likely to be mid-to-late April before the Working Party can render an opinion on whether the Privacy Shield offers the data protection equivalent to the EU standards when data is transferred to the United States. Following this opinion, the EU-U.S. Privacy Shield still will not become operational until the European Commission adopts an adequacy decision regarding the new framework and the United States completes the steps it needs to take to implement the Privacy Shield.
Adoption of the Privacy Shield by the Working Party and the European Commission is not a certainty. Critics of the Privacy Shield argue that it is merely a repackaging of the invalidated Safe Harbor framework in that it does not provide EU citizens with adequate legal means within the United States to redress data privacy violations, and it still does not adequately protect transferred data from being intercepted by U.S. national security agencies. Therefore, critics contend that the European Court of Justice will invalidate the Privacy Shield on the same grounds it invalidated the Safe Harbor framework.
Additionally, the ability to use existing binding corporate rules and standard contract clauses to transfer EU data to the United States may be short-lived. The Working Party has expressed concerns that these existing alternative transfer methods ultimately will not withstand legal scrutiny because they suffer the same legal defect that the European Court of Justice relied upon to invalidate the Safe Harbor framework, namely that data transferred under these methods are subject to surveillance by U.S. national security agencies. Consequently, Falque-Pierrotin stated that, after the Working Party has assessed the legality of the Privacy Shield, “we will have all the elements to consider whether SCCs and BCRs can still be used for transfers of personal data to the U.S."
Next Steps for Companies Transferring Data from the EU to the U.S.
Because the Privacy Shield will not become operational for several months, if at all and because certain DPAs, especially in Germany, have previously threatened to institute enforcement actions against companies using the invalidated Safe Harbor framework, companies that have relied solely upon that framework to transfer data are at increased risk during the qualified moratorium if a claim is brought by an individual. Consequently, companies should take the following actions:
- Monitor any advice or guidance from the DPAs in the jurisdictions where they have employees and customers as well as the actions taken by the other former safe harbor certified companies in that jurisdiction.
- Consider adopting SCCs for EU-U.S. data transfers until the Privacy Shield is operational. Increased use of specific consent and exceptions should also be considered.
Further, companies that have relied upon existing SCCs and BCRs to transfer data from the EU to the United States may continue to use such transfer mechanisms but should monitor the progress of the Working Party's analysis of these transfer mechanisms and be prepared to update their data transfer arrangements based on the results of the analysis. Given the length of time it can take for BCRs to be approved by local data protection regulators it is probably worth waiting to see if that system remains approved and how long it will take for the Privacy Shield to become effective.
Whatever further guidance may come in the next several weeks, all companies should consider reviewing and revising their data flows, policies, procedures and protections to comply with the recently-issued General Data Protection Regulation (GDPR), which will become effective sometime in 2018. Any amendments that a company adopts now to its data protection regime, which comply with the new GDPR, can only provide added protection to any potential claim by an EU data subject.