Greetings from Brussels!
It’s been an eventful week for European privacy and data protection, with the unveiling of the "EU-U.S. Privacy Shield," the new framework for trans-Atlantic data transfers replacing the now-defunct Safe Harbor. The College of Commissioners agreed to the new political agreement, mandating Vice President Ansip and Justice Commissioner Jourová with the task of getting the Privacy Shield implemented. The agreement should have authorities and companies on both sides of the pond breathing a sigh of relief. We will have to assume that the Commission have taken legal advice at the highest level to check that the new framework could withstand a court challenge; another political PR disaster is simply not worth contemplating in terms of EU-U.S. relations and business confidence.
The new framework essentially reflects three key elements: stronger obligations placed on U.S. companies handling Europeans’ personal data; written assurances from the U.S. that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms; and, key from a European standpoint, EU citizens who believe their data has been misused under the new arrangement will have several redress possibilities in the U.S.
The European DPAs under the umbrella of the Article 29 Working Party (WP29) also met this week in Brussels and welcomed the conclusion to the negotiations resulting in the new framework. The newly re-appointed WP29 President Isabelle Falque-Pierrotin was somewhat cautious in her press conference on Wednesday, stating that the WP29 looked forward to receiving further documentation as to the precise content and legality of the arrangements for assessment. In short, one could say the jury is still out.
The good news is that Falque-Pierrotin confirmed that binding corporate rules (BCRs) and standard contractual clauses (SCCs) can still be used for the transfer of personal data at the present time. The unsettling news, however, is that once a full assessment of the Privacy Shield documentation is concluded, the WP29 will give an overall assessment and statement of validity on all data transfer methods, BCRs and SCCs included. This suggests that there remain a number of legal questions around all methods.
The big message? Companies that have switched from using the now illegal Safe Harbor to alternative data transfer mechanisms can breathe easy for now that they are not going to face enforcement action from European DPAs. Those that have not face enforcement uncertainty. All said, as some IAPP members have stated to me, the agreement of the EU-U.S. Privacy Shield represents a significant achievement for the European Commission and the Department of Commerce after over two years of tough negotiations. Many businesses will welcome it. The week’s developments have been encouraging and we can only continue to support our respective public authorities to deliver a robust, fair, and equitable framework.
If you want to comment on this post, you need to login.