EU-US Privacy Shield and the Article 29 Working Party – „Saving the Day“ or „Business as Usual“?

Had you asked any privacy lawyer after the ECJ’s abolishment of Safe Harbor on October 6^th 2015, if there was any valid alternative for transferring personal data into the United States, you would have ended up with a variety of answers and thus more confused than before.

As the European Commission announced on Tuesday, a solution is in sight. However, celebrating the end of legal uncertainty seems a bit premature at this point of time.

But before we take closer look at the newly minted EU-US Privacy Shield let’s recap first

In the wake of Edward Snowden’s revelations on indiscriminate surveillance of Europeans and in the light of US legislation, especially the Freedom Act, Max Schrems, an Austrian, went to war with facebook.com and the Irish Office of the Data Protection Commissioner. He wanted the Irish Office of the Data Protection Commissioner to examine, whether facebook actually observed the Safe Harbor rules and to check any infringement on his human right to privacy. The Irish Office of the Data Protection Commissioner took the position that since the EU Commission had accepted the Safe Harbor rules, the office itself had no authority for independent checks or declarations in this matter. Max Schrems thus ended up arguing his case before the ECJ and won. The ECJ, as we all know, did take the matter one step further. It did not only rule that a Commissions’ decision did not limit the Office’s authority for independent checks, but also that Safe Harbor itself was actually not a safe harbor for privacy data. The ECJ based its ruling on the following reasons: basic human rights of European citizens can be infringed upon when privacy data is transferred into the US, since US legislation allows government institutions to demand from private companies etc.

• privacy data be disclosed to them indiscriminately, without a warrant or grave reason and
• without the possibility of judicial redress for a European citizen to a court of law.

Soon the discussion arose whether the “Safe Harbor Alternatives” – namely Binding Corporate Rules or the use of EU Model Clauses still were acceptable to justify data transfers into the United States. Both, BCR and SCT were basically facing the same difficulties with the US authorities: indiscriminate access to privacy related data anywhere and anytime, without the possibility for judicial regress.

A “grace period” for data transfers into the United States declared by the Article 29 Working Party (“WP29”) employing EU Model Clauses or Binding Corporate Rules.

Just when people (especially privacy lawyers) were becoming more and more jittery and fretful, the commission announced on Tuesday evening that a consensus for a Safe Harbor 2.0 was found. In order to leave behind the infamous (Not-So) Safe Harbor, the child was given a new and strong name: the EU-US Privacy Shield.

According to the Justice Commissioner Jourová the Agreement would ensure and safeguard three key elements:

• Strong obligations on companies handling Europeans’ personal data and robust enforcement
• Clear safeguards and transparency obligations on U.S. government access
• Effective protection of EU citizens’ rights with several redress possibilities

Why did we then say that celebrating the Privacy Shield was a bit premature?

Well first of all, the Commission merely announced a consensus was reached. As of now, we have not seen the wording of said consensus in order to be able to form our own legal opinion. Second of all, the relevant US institutions need to formally adopt the consensus, as do the various European institutions that have a say in this matter. And thirdly, the new framework, monitoring mechanisms and Ombudsman need to be installed.

As of February 3^rd the WP29 issued its own opinion reflecting tuesday’s announcement. It stated that the WP29 stands ready to analyze negotiations’ results in the light of the European essential guarantees of human rights, especially the right to privacy. The WP29 will now especially analyze

• if its concerns regarding the U.S. legal framework can be alleviated following the introduction of the EU-US Privacy Shield.
• to what extent this new arrangement will provide legal certainty for the other transfer tools.
• whether the provisions respect the powers of data protection authorities as laid down in Article 28 of Directive 95/46/EC.

What does that mean for day to day business?

It means: despite the Commissions’ announcement on February 2^nd nothing relevant has changed:

Data transfers into the US obviously cannot be justified with the Safe Harbor rules.

The “grace period” ended on January 31^st.

Yet the WP29 emphasized on February 3rd: “EU data protection authorities will therefore deal with related cases and complaints on a case-by-case basis”.

Furthermore, it has called on the Commission to provide the WP29 with all relevant documents by the end of February. The WP29 plans to then hold an extraordinary plenary meeting in order to consider transfer mechanisms, such as EU Model Clauses and Binding Corporate Rules can still be used for personal data transfers into the U.S.

What should be done now?

If you’re employing EU Model Clauses and BCR that were approved, you should be on the safe side.

If not, we advise not to wait until the EU-US Privacy Shield is in place. It’s a highly political process with many institutions involved. Prepare or even undertake all the necessary steps for legalizing data transfers into the US on the grounds of Binding Corporate Rules or EU Model Clauses.