EU data protection authorities have hinted at more uncertainty for companies when it comes to EU-US data transfers, at least until April.
So what do we know?
Companies which are still relying on the Safe Harbor framework to transfer data between the EU and the US could be investigated by national data protection authorities in the EU, said the chair of the Article 29 Working Party in Brussels today. Isabelle Falque-Pierrotin heads the group, which brings together all the national data protection authorities in Europe. In a live statement this afternoon, she confirmed that companies using other legal mechanisms to transfer data (such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs)) would escape investigation for a few more months, as data protection authorities continue to carry out a review on this issue which won’t be concluded until April at the earliest.
This review includes a thorough analysis that it has done on the US surveillance systems. The Article 29 Working Party has raised concerns that the scope of surveillance in the US and remedies available to citizens could impact the effectiveness of BCRs and SCCs. The new Privacy Shield agreement could help improve the situation, but the devil is in the details. A recent statement outlines four essential guarantees for intelligence activities (which Mrs. Falque-Pierrotin during the press conference made a point that it applies to EU countries as well):
- Processing should be based on clear, precise and accessible rules where people are reasonably informed should be able to foresee what might happen with her/his data where they are transferred;
- Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated: a balance needs to be found between the objective for which the data are collected and accessed (generally national security) and the rights of the individual;
- An independent oversight mechanism should exist, that is both effective and impartial: this can either be a judge or another independent body, as long as it has sufficient ability to carry out the necessary checks;
- Effective remedies need to be available to the individual: anyone should have the right to defend her/his rights before an independent body.
Why wait until April? What’s the delay?
The Article 29 Working Party has not yet received any documentation on the new Privacy Shield agreement from the Commission. They have received verbal statements from Commissioner Jourova this morning with a promise to receive the detailed texts by the end of February. Once the documents have been received, the Article 29 Working Party will need to review and meet again to make a final decision.
It is worth noting that there was a lot of optimism in the voice of the Article 29 Working Party’s President today, but much still needs to be reviewed. Will the new measures announced by Commissioner Jourova yesterday be robust, enforceable and secure enough to pass the data protection authorities’ test?