The new WP29 statement made clear that Safe Harbor no longer provides a lawful basis to transfer data to the U.S. and that it is possible that enforcement action may be taken against those who rely on it: “The WP29 recalls that, since the Schrems judgment, transfers to the U.S. cannot take place on the basis of the invalidated Safe Harbor decision. EU data protection authorities will therefore deal with related cases and complaints on a case-by-case basis.” Some companies, therefore, may find a gap in compliance in the period, which could be a few months, until the Privacy Shield is finalized, adopted and implemented. At the same time, the DPAs will have different views about bringing enforcement actions in this period and will have limited resources, and may not necessarily have viable complaints before them. For example, some of the regional German DPAs have taken an aggressive enforcement approach in recent months, whereas other DPAs have preferred to wait until the EU-U.S. framework has been renegotiated and finalized.
The WP29 statement also sets forth a set of principles – or “essential guarantees” – that must be respected on cross-border data transfers. These principles include guarantees on the part of intelligence agencies that processing is based on clear, precise and accessible rules, and that effective remedies should be available to anyone, and that this is all subject to an independent oversight mechanism. The DPAs will use and apply these principles at a special session they are convening next month when they review the documentation pertaining to the Privacy Shield, and assess compatibility with Schrems and these principles. At that session, they will also review whether the other means currently available to transfer personal information from the EU to the U.S. remain viable: “whether transfer mechanisms, such as Standard Contractual Clauses and Binding Corporate Rules, can still be used for personal data transfers to the U.S.” In the meantime, the WP29 has made clear that Standard Contractual Clauses and Binding Corporate Rules can still be used for existing transfer mechanisms.”
While the Privacy Shield agreement is very important, it has certainly not immediately ended the uncertainty that U.S. and EU businesses continue to face over data transfer arrangements, as Wednesday’s developments underscored.
*This blog post was originally on AG Trade Law.