Businesses celebrating a Safe Harbor replacement have been dealt a sobering gut punch from Brussels: in April 2016, the European Union data protection authorities (“DPAs”) may reject not only the recently announced “EU-US Privacy Shield” but also data transfers to the U.S. that are based on Standard Contractual Clauses (a/k/a model contracts) or Binding Corporate Rules. Starting now, the DPAs may take enforcement action against companies that still rely on the now defunct Safe Harbor to transfer personal data to the U.S., but (for the time being) not against companies that rely on and comply with Standard Contractual Clauses or Binding Corporate Rules for such transfers. Safe Harbor is dead, and reliance on Safe Harbor is illegal.
That was the message issued today in a statement and press conference by the Article 29 Working Party (“WP29”), a group comprised primarily of representatives from every EU member state’s DPA. The DPAs did not participate in the negotiation of the EU-US Privacy Shield. Instead, they were consulted minimally at the last minute, and have not seen any documentation of the new program or of the “assurances” that the U.S. is said to have provided during the negotiation. In light of the concerns raised by the European Court of Justice in its decision that invalidated Safe Harbor, which focused primarily on U.S. governmental access to EU personal data and the lack of effective redress mechanisms, the WP29 has been reviewing the legality of data transfers to the U.S. based on two current legal alternatives: Standard Contractual Clauses and Binding Corporate Rules. They are concerned that these alternatives may suffer from the same problems identified by the court.
The WP29 called on the European Commission to provide it with documentation of the EU-US Privacy Shield by the end of February. The WP29 will then organize a meeting for the end of March or beginning of April, as they will then “have all the elements to consider whether the standard contractual clauses and Binding Corporate Rules can still be used for personal data transfers to the U.S.,” according to comments by WP29 Chairman Isabelle Falque-Pierrotin. The WP29 will evaluate the EU-US Privacy Shield and the other two data transfer mechanisms on the basis of “four essential guarantees for intelligence activities”:
- “Processing should be based on clear, precise and accessible rules: this means that anyone who is reasonably informed should be able to foresee what might happen with her/his data where they are transferred;
- Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated: a balance needs to be found between the objective for which the data are collected and accessed (generally national security) and the rights of the individual;
- An independent oversight mechanism should exist, that is both effective and impartial: this can either be a judge or another independent body, as long as it has sufficient ability to carry out the necessary checks;
- Effective remedies need to be available to the individual: anyone should have the right to defend her/his rights before an independent body.”
The EU DPAs may then go to court to challenge the European Commission’s decisions that created the data transfer mechanisms. If they do, they may need to get in line behind the applicant in the case that invalidated Safe Harbor, who today released this statement: “I am … not sure if this system will stand the test before the Court of Justice. There will be clearly people that will challenge this – depending on the final text I may well be one of them.”