On Monday, Commissioner Jourová’s remarks on the state of play of the Safe Harbor negotiations before the EU Committee on Civil Liberties, Justice and Home Affairs heralded the EU-US Privacy Shield which was announced on Tuesday (see our piece on 3 February).
Yesterday saw the reaction of the Article 29 Working Party (WP29), which is comprised of EU Data Protection Authorities, to the Privacy Shield framework proposals. It is premature to view Commissioner Jourová’s remarks and the announcement in the same light as Neville Chamberlain’s “peace for our time” speech in September 1938, but clearly the proposed framework has a long way to go and how robust or sustainable it will be is still an unanswered question.
In a press statement issued yesterday, WP29 turned the focus to the practices of US Intelligence and their potential for “unjustified interference to the European right to respect for private life and data protection”.
WP29 is looking for four essential guarantees for intelligence activities:
- Processing should be based on clear, precise and accessible rules
- The collection and assessment of personal data should be subject to demonstrably legitimate objectives and be necessary and proportionate and be balanced against the rights of the EU citizen
- An impartial and effective independent oversight mechanism with the ability to carry out the necessary checks
- Effective remedies for the EU citizen
WP29 recognised US efforts over the past two years to improve the protection of the data of non-US citizens, but was concerned that the current US legal framework does not meet the guarantees.
So, WP29 is looking to examine the EU-US Privacy Shield in the light of the four guarantees before reaching a view on whether the transfer mechanisms such as EU model clauses and Binding Corporate Rules can still be used for personal data transfers to the USA. We will find out in a month or so.
So what does this mean? “Keep calm and carry on” springs to mind. Businesses that transfer data to the USA may now wish to await the outcome, but should in the meantime be examining the circumstances under which that data is exported and the protections currently in place.
Of course, any arrangement with the US will be by letter, rather than binding treaty, so how sustainable will it be following the impending change in the US Administration? That and possible further Schrems-type challenges throw further uncertainty into the mix. What is certain is that the fat lady has not yet entered stage left … We will keep you informed of developments as they happen.
Consistent with our policy when giving comment and advice on a non-specific basis, we cannot assume legal responsibility for the accuracy of any particular statement. In the case of specific problems we recommend that professional advice be sought.