A29 Working Party To Convene Special Plenary on Thursday To React to Safe Harbor Ruling
With the echoes of Tuesday’s European Court of Justice Safe Harbor decision still rippling through the hills of the privacy community, it was no surprise this morning to find a standing-room-only crowd at Dentons' “Fireside Chat” with Information Commissioner Christopher Graham here in London.
Host Chantal Bernier, of counsel at Dentons Canada and former Canadian privacy commissioner, wasted no time: “Why don’t we address the elephant right away so the elephant can move off: What do you think of Tuesday’s decision?”
Graham struck a tone of pragmatism and patience, as he would throughout the discussion. “Don’t panic,” he counseled. The ICO’s office will not be “knee-jerking into sudden enforcement of a new arrangement. We are coordinating our thinking very much with the other data protection authorities across the EU.”
He noted that a subset of the A29 Working Party is meeting today to prepare for a full plenary meeting that will happen Thursday and which he will attend.
“You need to hear: ‘We get it. We understand the significance of what has happened.’ If you’re using the cloud, you’re concerned about this. If you’re an SME involved in transfers of information between Europe and the U.S., you’re concerned about this development. We absolutely understand that the ICO needs to be thoroughly engaged. We’re talking to Whitehall about it … [and] … we’re working hard on making sure there is a coherent, coordinated response from the DPAs to these developments.”
“Keep calm,” he said, quoting the quintessential British attitude. “Safe Harbor is not the only route. There are standard contractual clauses; there are BCRs. Let’s just work through the implications of the decision that’s been made, and we as the data protection authority in the UK, with a significant voice in A29, will argue for a practical response to what has happened. There is the issue of growth, of jobs, of the development of technology in Europe and across the world.
“If it’s at all reassuring,” he continued, “the regulator understands that something big has happened and we’ll be as helpful as we can to lead everyone through the process.”
Bernier wondered, however, whether BCRs and clauses aren’t called into question by the Safe Harbor ruling as well.
“Let’s not talk ourselves into a crisis,” Graham responded. “The judgment of the ECJ, did not go as far as the opinion of the [Advocate General] a couple of weeks back … Let’s not create a drama out of a crisis, by saying, ‘Oh if that’s the case for Safe Harbor that must also be the case for BCRs and clauses.’ Let’s not panic. We’re not going to be doing anything unsubtle. And we’ll be a voice urging restraint if there are any fundamentalists in the room who want to say, ‘and therefore and therefore and therefore.’”
Already, Safe Harbor was being renegotiated, he noted, and already there are special arrangements for security services in the Directive. “The problems about the access that security authorities claim for personal information are there in every jurisdiction,” Graham said. “Talk about elephants in the room: That’s one of the elephants.”
Nor is that elephant going away. “Privacy is a fundamental right within the EU,” Graham said. “So is security; so is the right not to be blown up. And practical politicians and data protection authorities will be working toward balancing these competing obligations.”