Though the future of transatlantic data transfers continues to hang in the balance, one more clue was offered Wednesday afternoon in Brussels, with official word from the EU’s collection of data protection authorities on their assessment of the newly proposed EU-U.S. Privacy Shield arrangement. The head of the Article 29 Working Party (WP29) said during a press conference that the group “welcomed” the agreement but needed further documentation to assess its legality.
“It is still only words from the European Commission,” said WP29 Chairwoman Isabelle Falque-Pierrotin. “We need documents in order to know precisely the content of the agreement” and “to assess whether the EU-U.S. Privacy Shield can answer to the wider concerns raised by the Schrems decision on data-transfer mechanisms.”
On Tuesday, the European Commission and U.S. Department of Commerce announced they had reached an agreement – now called the EU-U.S. Privacy Shield – that would allow for the transfer of personal data of EU citizens to the U.S. The arrangement includes the creation of an ombudsperson in the U.S. State Department to handle EU complaints about U.S. surveillance, written assurance that surveillance will be limited and proportionate, multiple avenues of redress for EU citizens, and an annual joint-review of the arrangement.
The DoC also released a Fact Sheet on the Privacy Shield arrangement Wednesday morning. In it, the DoC highlights strengthened cooperation between the U.S. Federal Trade Commission and the WP29. The agency also said it “will step in directly … to resolve referred complaints” and that it would dedicate “a special team with significant new resources to supervise” Privacy Shield compliance. Plus, participating companies will undergo “new contractual privacy protections and oversight” for transferred data.
What’s clear at this point is that the old Safe Harbor arrangement is invalid and illegal, from the WP29 view. However, as the group waits for official documentation from the European Commission and works on its own analysis of the agreement, alternative data-transfer mechanisms – specifically, binding corporate rules (BCRs) and standard contractual clauses (SCCs) – will continue to be a valid way to transfer personal data out of the EU, at least for the next couple months.
Falque-Pierrotin said the WP29 expects final text on the Privacy Shield in roughly three weeks. It will then take about a month to evaluate the agreement, alongside BCRs and SCCs, before holding an extraordinary plenary session "at the end of March," after which it will levy its opinion on the validity of data transfer to the United States. She also added that, if everything went to plan, a finalization could be achieved by the end of April.
But many obstacles remain.
Since details on the agreement are forthcoming, it is not yet clear what the WP29 will ultimately decide on the future of data transfers out of the EU. However, the group has already conducted an assessment of BCRs and SCCs based on European jurisprudence, and received feedback from academics, business representatives, senior government officials, and civil society to come up with “four essential guarantees for intelligence activities” that will be used during its analysis of the Privacy Shield agreement.
First, processing of personal data should be based on clear and accessible rules. Surveillance activities need to be necessary and proportionate, and there must be oversight via an independent mechanism. Finally, “effective remedies” must be available to individuals, and those individuals must have a means to defend themselves.
As of the most recent evaluation, the WP29 has "concerns" that BCRs and SCCs fail this four-point test, but the details of Privacy Shield may change the analysis. For example, Falque-Pierrotin said the establishment of an ombudsperson in the U.S. would be a positive development. “It gives the possibility to convey complaints on delicate areas with intelligence services," she said. "Even in our country, we understand that national security is delicate. The ombudsperson has to be scrutinized and analyzed, but it’s a very good sign from the U.S. intelligence community to provide us with this. We’ll see how practically and clearly it will work.”
By the end of March and the WP29 meeting, continued Falque-Pierrotin, “we will have all the elements to consider whether SCCs and BCRs can still be used for transfers of personal data to the U.S. In the meantime, and until we receive a complete assessment on the consequences of the Privacy Shield, to determine its legality, we consider that it is still possible to use existing transfer mechanisms.”
When pressed by the media whether those currently using the old Safe Harbor arrangement would be pursued by the DPAs, Falque-Pierrotin said, “One thing is for sure: If companies are using the former Safe Harbor, it is illegal.” She later added that enforcement of companies transferring data under the guise of the old Safe Harbor would depend on individual DPAs and whether those DPAs receive any complaints.
Overall, Falque-Pierrotin's attitude might be described as measured. “We are going to wait, but not too long, to assess the quality of content and the legal consequences of the arrangement,” she said. Speaking of the Commission and U.S. government, Falque-Pierrotin noted, “They have heard what we asked. Now let’s give them the possibility to convince us. We will be demanding in our analysis.”