Wednesday, February 3, brought additional developments pertaining to the transfer of personal data from the EU to the U.S. consistent with EU privacy law. Just one day prior, we reported on the announcement by the EU and U.S. of an agreement called the EU-U.S. Privacy Shield (Privacy Shield), which is intended to replace the Safe Harbor arrangements struck down by the Court of Justice of the EU in the Schrems decision. We noted that the “reaction of the Data Protection Authorities will also be watched, and important developments may come quickly.” Consistent with that advice, Working Party 29 (WP29), which includes the Data Protection Authorities (DPAs) from across the EU that conduct relevant enforcement, met on Wednesday and issued a statement affecting companies that have continued to depend on Safe Harbor to transfer data during this period while an agreement was being negotiated and reported several times to have been close at hand.
The new WP29 statement made clear that Safe Harbor no longer provides a lawful basis to transfer data to the U.S. and that it is possible that enforcement action may be taken against those who rely on it: “The WP29 recalls that, since the Schrems judgment, transfers to the U.S. cannot take place on the basis of the invalidated Safe Harbor decision. EU data protection authorities will therefore deal with related cases and complaints on a case-by-case basis.” Some companies, therefore, may find a gap in compliance in the period, which could be a few months, until the Privacy Shield is finalized, adopted and implemented. At the same time, the DPAs will have different views about bringing enforcement actions in this period and will have limited resources, and may not necessarily have viable complaints before them. For example, some of the regional German DPAs have taken an aggressive enforcement approach in recent months, whereas other DPAs have preferred to wait until the EU-U.S. framework has been renegotiated and finalized.
The WP29 statement also sets forth a set of principles – or “essential guarantees” – that must be respected on cross-border data transfers. These principles include guarantees on the part of intelligence agencies that processing is based on clear, precise and accessible rules, and that effective remedies should be available to anyone, and that this is all subject to an independent oversight mechanism. The DPAs will use and apply these principles at a special session they are convening next month when they review the documentation pertaining to the Privacy Shield, and assess compatibility with Schrems and these principles. At that session, they will also review whether the other means currently available to transfer personal information from the EU to the U.S. remain viable: “whether transfer mechanisms, such as Standard Contractual Clauses and Binding Corporate Rules, can still be used for personal data transfers to the U.S.” In the meantime, the WP29 has made clear that Standard Contractual Clauses and Binding Corporate Rules can still be used for existing transfer mechanisms.”
While the Privacy Shield agreement is very important, it has certainly not immediately ended the uncertainty that U.S. and EU businesses continue to face over data transfer arrangements, as Wednesday’s developments underscored.