Great uncertainty has followed the judgment of the EU’s Court of Justice in Schrems, in which the CJEU held that the EU Commission’s Safe Harbor Decision was invalid. That decision had enabled the easy transfer of personal data from the EU to the U.S.; its invalidity has thrown all such transfer mechanisms into doubt, leading to an increase in data localization.
The EU Commission responded swiftly to Schrems, initiating negotiations with the U.S. government that led to an agreement in February of this year: the Privacy Shield. The EU Commission then proposed a decision recognizing this agreement as providing adequate data protections. That proposal is currently being considered by the Article 31 Committee, established pursuant to the existing Data Protection Directive 96/46. This committee consists of representatives of each EU Member State, chaired by the EU Commission. Its approval is required before the Decision can be formally adopted by the EU Commission. It had been anticipated that approval would issue in May, but some EU Member States expressed doubts. Approval may now issue later this month or it may not; the outcome is yet uncertain.
In the meantime, a number of opinions have issued that question whether the Privacy Shield addresses all the concerns raised by the CJEU in Schrems. The opinion of the Article 29 Working Party identified three major points of concern: firstly that the agreement “does not oblige organisations to delete data if they are no longer necessary”; secondly “ … the U.S. administration does not fully exclude the continued collection of massive and indiscriminate data”; and finally that the supervisory mechanism, provided by the agreement, the Ombudsperson, needs its “ … powers and … position …” to be clarified.
These concerns have been echoed by the European Data Protection Supervisory who concluded that “… robust improvements are needed in order to achieve a solid framework, stable in the long term.” Whilst the EU Parliament called on the EU Commission to “… continue the dialogue with the U.S. administration in order to negotiate further improvements to the Privacy Shield arrangement in the light of its current deficiencies.” Of course it is not certain that the U.S. government will be receptive to such calls for renegotiation. Much may depend upon the result of November’s U.S. presidential elections; one might wonder how an incoming "President Trump" would respond to such a call.
None of these opinions can have the direct effect of preventing the approval or adoption of the EU Commission’s draft Privacy Shield decision. But these opinions suggest that it is almost certain that that decision will be referred to the CJEU if and when it is made. Any referral to the CJEU will take time, a year or two, maybe more (even if the CJEU expedites a hearing, there will have to be an investigation and the court of an EU Member State will have to make the referral).
But a judgment of the CJEU on the current version of Privacy Shield will not end the uncertainty, for the jurisdiction of EU data protection law will shortly be extended. This extension change follows Google Spain, in which the CJEU held that Spanish data protection law could be applied to Google’s servers in California. From May 25, 2018 Regulation 2016/679 will apply to “ … the processing of personal data in the context of the activities of an establishment of a controller or a processor in the (EU), regardless of whether the processing takes place in the (EU) or not.” Establishment was given a quite broad meaning by the CJEU in Google Spain and Weltimmo; the employment of a single person within a jurisdiction is sufficient presence to create an “establishment." And Regulation 2016/679 may apply even where a data controller has no establishment within the EU. Article 3(2) of Regulation 2016/679 goes onto provide that it applies to data processing where the neither the controller nor the processor are established in the EU where the processing relates to “… the offering of goods or services … to … data subjects in the (EU); or … the monitoring of their behaviour as far as their behaviour takes place within the (EU).”
Article 27(1) of Regulation 2016/679 requires that those controllers and processors caught by Article 3(2) “ … shall designate in writing a representative in the Union." That representative must “ … be mandated by the controller or processor to be addressed … for the purposes of ensuring compliance with this Regulation.” Extending the jurisdiction of EU data protection law may address one of the major points of concern raised by the Article 29 Working Party, the absence of clear supervisory mechanisms. What is unclear is how effective the supervisory mechanisms proposed by Regulation 2016/679 will be. Can Regulation 2016/679 be enforced against a non-EU controller or processor that simply chooses to ignore it; if so, how?
Given its extra-territorial effect one might wonder whether Regulation 2016/679 could have dispensed with other mechanisms for enabling the transfer of personal data out of the EU, but it does not. In addition to the adequacy decision currently being considered for the Privacy Shield, a number of alternative mechanisms are provided for, including: contractual clauses; consent; and binding corporate rules. These alternative mechanisms will remain in place after May 25, 2018. But Ireland’s Data Protection Commissioner has indicated that she intends to refer at least one of them, contractual clauses, to the CJEU. So the validity of these alternative mechanisms may be uncertain, at least until the CJEU gives judgment. Whether such a judgment will provide certainty may depend upon the questions that the Irish High Court will ask of the CJEU. It is not yet certain what those questions will be.
Image courtesy of European Commission
If you want to comment on this post, you need to login.