Datonomy summarises the latest developments in the ongoing saga of US data transfers.
On 13 April, the Article 29 Working Party announced their eagerly awaited – but as it turned out, somewhat inconclusive – conclusions on the proposed new EU-US Privacy Shield data transfer mechanism. A lunchtime press conference led by Article 29 Working Party Chairman Isabelle Falque-Pierrotin was followed by the publication in the late afternoon of two new documents:
- a 58 page Opinion on the EU-US Privacy Shield adequacy decision
- a 15 page Working Document on the justification of interferences with the fundamental rights to privacy and data protection through surveillance measures when transferring personal data (European Essential Guarantees)
The documents analyse the Privacy Shield from two angles:
- the commercial aspects
- derogations for national security purposes.
See below (“What are the regulators’ concerns“) for a bit more detail on the content of these documents and the key concerns raised.
As Datonomy readers will be well aware, this is a long-running saga, triggered by the CJEU’s invalidation of Safe Harbor in October 2015 in the Schrems case, followed by the EU regulators’ ultimatum to EU and US, followed by the unveiling of the Privacy Shield deal in early February and publication of fuller details at the end of February.
So, does this resolve uncertainty over US data transfers?
No. The WP welcomes the Privacy Shield as making “major improvements” to Safe Harbor, but these latest documents are neither an outright endorsement – nor a rejection – of the new scheme. The Working Party urges the Commission to address the various concerns it raises in the final version of the adequacy decision on the Privacy Shield. (Datonomy readers will be aware that at the start of this week, following leaks by certain Germany DPAs, there were rumours of rejection of the deal.)
What are the next steps, and what should businesses do in the meantime?
This is a somewhat novel situation – like each successive stage of the Safe Harbor debacle. The Chair of the Article 29 WP stated in the press conference that “nobody knows” exactly what will happen next. The EU’s Commissioner for Justice, Vera Jourova, has been quoted as saying the Opinion contains “a number of useful recommendations and the Commission will work to swiftly include them in its final decision.” Just how feasible that renegotiation with the US will be, remains to be seen.
It has been the Commission’s stated aim – according to a statement by Commissioner Oettinger in mid March (e.g. reported here) – for the Privacy Shield to take effect by June this year. According to the Article 29 WP, the Commission’s negotiation with the US authorities is “still dynamic” and it is the A29’s hope that the final version of the decision could be influenced to better address the concerns it has flagged. The next steps is for another committee under the DP Directive – the Article 31 Committee (made up of representatives of the Member States) – to formally approve the adequacy decision.
So yet again, it is a case of wait and see – as to whether the Commission and US authorities will negotiate sufficient changes to the Privacy Shield to satisfy the regulators (and the Article 31 Committee) – or whether the Commission will adopt the adequacy decision without changes to the scheme – which would surely leave it vulnerable to challenge before an increasingly pro-privacy CJEU.
The legal limbo for businesses continues. Safe Harbor is dead, the Privacy Shield is closer to being endorsed – but it is not there just yet. Watch this space for further news of reaction from national regulators and the Commission – and don’t rip up those model contracts just yet…
What about model contract clauses and binding corporate rules?
The opinion was also expected to analyse the adequacy of the alternative transfer mechanisms – model contract clauses and intra group Binding Corporate Rules. However, the new documents deal only with Privacy Shield. In the press conference, the message was that model clauses and BCRs remain legitimate transfer methods – at least for now.
In more detail…what are the regulators’ concerns about the Privacy Shield?
According to the Opinion, the Privacy Shield and adequacy decision in their current form do not provide “essential equivalence” to the Data Protection Directive. The specific shortcomings focus on these areas:
On the commercial aspects of the Privacy Shield:
- some aspects of the documentation and terminology are not sufficiently clear
- certain DPD principles – including data retention, rules against automated decision taking and purpose limitation – are not adequately reflected
- insufficient safeguards for onward transfers from the third country
- new recourse mechanisms for EU data subjects are too complex to be effective
On derogations for national security purposes
Although it is a “large step forward” from Safe Harbor, there are concerns about:
- bulk data collection (data collection on a “massive and indiscriminate” scale for the fight against terrorism)
- the independence and effectiveness of the new ombudsman, to protect data subjects’ rights.
Another concern is that Privacy Shield is aimed at meeting the standard of the current DP Directive – but will require updating to meet the stricter standards of the GDPR in time for mid 2018.
Essential European Guarantees
In the Working Document, the Article 29 Working party sets out four guarantees which must be met both within the EU and when EU citizens’ data is transferred to third countries. This is based on analysis of case law from the CJEU and European Court of Human Rights.
A. Processing should be based on clear, precise and accessible rules
B. Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated
C. An independent oversight mechanism should exist
D. Effective remedies need to be available to the individual
The document stresses that these guarantees are not unconditional, but will need to be interpreted by DPAs on a case by case basis when deciding whether to take enforcement action such as suspending transfers. There is further CJEU case law in the pipeline which could impact the interpretation of necessity and proportionality.
Although non binding, the legal analysis in both the Opinion and the Working Document are likely to be highly influential in the next instalment of the Safe Harbor saga.