Safe Harbour – what’s new?
Yesterday, the European Commission announced that it had agreed a new framework with the US for data flows between Europe and the US, christened “EU-US Privacy Shield”. This would replace the former Safe Harbour agreement, which was invalidated by the ECJ on 6 October last year, and allow a mechanism for companies to legally transfer data relating to EU data subjects between Europe and the US. Datonomy watched the Article 29 Working Party (“A29WP”) press conference given by the Chair, Isabelle Falque-Pierrotin, at midday today (following which a formal statement was released) and brings you the key points on the current status and next steps for Privacy Shield.
What is the status of the new EU-US Privacy Shield?
Whilst the European Commission may have reached an agreement, Privacy Shield is far from a done deal it seems. The A29WP was not included in the negotiations relating to Privacy Shield, and has so far only received verbal commitments from the Commission on certain issues it has. The next stage will be for it to receive full documentation, so that it can evaluate the new framework and issue a full statement. It appears that the A29WP has many questions which it requires answers to, and the European Parliament also made it clear in its press release yesterday that it too had concerns about how the arrangement would work in practice. It therefore seems like there is yet more waiting to be done until Privacy Shield is finalised.
What will EU regulators do next? When?
The A29WP has asked the Commission to provide documentation about Privacy Shield within the next three weeks. Once this has been received, it will then conduct an analysis on whether Privacy Shield does in fact address its concerns about the handling of EU subjects’ data in the US, and how legally binding the deal will be. It has identified four key criteria by which it will evaluate a country’s data handling practices, which are:
- the processing of data based on clear, precise and accessible rules;
- the exercise of the principles of necessity and proportionality;
- the existence of an independent oversight mechanism; and
- the availability of effective remedies for data subjects.
In addition, the A29WP has indicated that it currently has similar concerns in relation to the other EU-US transfer tools (BCRs and model clauses) and that it will also be evaluating its position on these in light of assurances from the US government which will supposedly be included in the Privacy Shield documentation. The A29WP has an extraordinary plenary session scheduled for the end of March, at which it intends to conduct this analysis, with a final conclusion expected sometime in April.
If you are transferring data to the US, what should you be doing?
If you are still relying on old Safe Harbour…
During the press conference, Isabelle Falque-Pierrotin reiterated that Safe Harbour has been invalidated, and EU-US data transfers on the basis of Safe Harbour are technically illegal. Companies which have continued to rely on Safe Harbour to validate data transfers to the US could be at risk of enforcement action, depending on the stance of the national data protection authority in question and any complaints received.
If you have BCRs or model clauses in place…
The A29WP confirmed that, for now, its position is that model clauses and binding corporate rules remain valid transfer mechanisms, pending deeper analysis.
Businesses relying on BCRs or model clauses to transfer data to the US have further breathing space pending the A29WP’s full analysis of the new US deal, although it remains to be seen what action individual national regulators might take, particularly if there are specific concerns or complaints about a particular transfer. Data transfers between the EU and other non-EEA countries remain unaffected. We will continue to keep you posted.