A mote of certainty for US businesses that export EU data for processing and are wondering whether or not they are in compliance with EU law right now, given the legal quagmire of EU-US data protection relations. The Article 29 Working Party, the body made up of representatives of individual European Member States’ data protection authorities (DPAs), has said today that it will not be taking enforcement action against companies that are using alternative transfer mechanisms in the wake of last year’s Safe Harbor strikedown.
The European Court of Justice invalidated Safe Harbor last October, following a legal challenge brought by European privacy campaigner Max Schrems, but the European Commission pointed companies to alternative transfer mechanisms they could use in the interim, such as standard contractual clauses and model contracts.
The WP29 has been assessing these mechanisms for the past few months, and said today that it does have concerns about their legality, in light of US government agencies’ access to European citizens’ data for surveillance purposes. However it is suspending these concerns temporarily while it waits to see details of the new data transfer deal, the EU-US Privacy Shield, announced yesterday by the European Commission.
“We will have to receive the proper documents on this announcement because it’s still words from the Commission,” said Isabelle Falque-Pierrotin, chair of the WP29 and head of France’s CNIL DPA, speaking during a press conference, and after the body met with Commissioner Věra Jourová to discuss the Privacy Shield deal this morning.
“We need to receive these documents in order to know precisely the content of these document and also the legal bindingness of this announcement. Because until now we’ve been told that it was an exchange of letters. A unilateral act from the Commission. We don’t know exactly what it covers, and what is the legal bindingness. And also we want to receive the documents in order to assess whether this EU-US Privacy Shield can answer to the wider concerns raised by the Schrems judgement as regards all the international transfer of personal data.”
So, in other words, companies that have switched from using the now illegal Safe Harbor to alternative data transfer mechanisms can breathe easy for now that they are not going to face enforcement action from European DPAs. (Although any companies still relying on Safe Harbor do not have that certainty; Falque-Pierrotin confirmed such companies are in “an illegal situation” and may face enforcement — depending on the DPAs in question, and whether they receive any complaints.)
Some European DPAs had previously suggested they might block transfers of data based on alternative mechanisms. But Falque-Pierrotin confirmed that all the DPAs have agreed to take a common position for now.
Effectively then, the WP29 has agreed to allow more time for the EU and the US to try to forge a new data transfer agreement. Although, at this stage, it is by no means certain yesterday’s trumpeted Privacy Shield will in fact pass muster. Falque-Pierrotin repeated emphasized the WP29 remains in the dark on the details of the arrangement and thus cannot judge whether it will be robust enough.
Instead, she said it has agreed to allow more time to the two sides to deliver a text with full details of the agreement — which it will then study to make a proper assessment.
“The legal format of the arrangement is still unclear for us,” she said, responding to questions from journalists during the press conference. “We had the commissioner saying this morning it was a unilateral decision from the Commission. I heard ‘exchange of letters’. To be honest we don’t know a lot about this. So we still have to wait and see exactly what is provided by US in terms of commitments.”
“It’s difficult to come to a conclusion when you are facing a political will but no real documents,” she added. “We had to find a way in our position between being too rigid and closing any type of hopes… and being too open on legitimate grounds. So we believe that the position we’ve taken is a sensible one that says we are going to wait but not too long to be able to assess the quality, the content, the legal consequences of this arrangement.
“The persons that are able to fix the situation it is the negotiators. Now we have something brought by the negotiators… Let’s give them the possibility to convince us.”
In terms of timeframe, she said that depends on the Commission. But the WP29 is calling for a full document to be delivered by the end of February. It is intending to then hold a meeting in March to assess the text, and could, she said, come to a conclusion on whether the Privacy Shield is acceptable by mid-April or the end of April — again, depending on whether the EC fulfills this timetable or not.
The WP29’s future analysis of the Privacy Shield will focus on what Falque-Pierrotin said are “four essential guarantees” — gleaned from its prior analysis of European jurisprudence — that she said must be respected when US intelligence services have access to European data, namely that:
- processing must be based on “clear, precise and accessible rules”
- there should be “necessity and proportionality” in accessing personal data from European citizens
- there needs to be an independent oversight mechanism to oversee how EU citizens’ data is being accessed by intelligence services
- there must be “effective remedies” open to EU individuals wanting to make complaints — “and anyone should have right to defend her/his right before an independent body”
“These four essential guarantees constitute a kind of European standard,” she said, adding that such guarantees must also be applied to cover data transferred to other countries within Europe.
Earlier this week it emerged that the Privacy Shield arrangement includes exceptions to allow for some US mass surveillance of EU citizens data — with Jourová listing three circumstances when “generalized access” would be allowed: “if the tailored and targeted access is not technically or operationally possible; or if they see some very dangerous trend that needs more than targeted access”. So it remains to be seen whether these exceptions can be squared with the WP29’s four essential guarantees.
The WP29 is due to issue a statement later today with more details on its position — we’ll update this story with a link when this is published.