Data protection watchdogs from around the EU have reassured companies that they can continue transferring personal data to the US under alternative legal means—at least for the time being while the EU nails down details on its new ‘privacy shield’.
“Until we have analysed the content of the arrangement and the possible consequences on the other transfer tools we will allow data controllers to use the BCRs [binding corporate rules] and standard contractual clauses,” said Isabelle Falque-Pierrotin, president of the Article 29 Working Party, which represents the powerful privacy authorities from EU member states.
The European Commission yesterday (2 February) announced the ‘EU-US privacy shield’, a new arrangement to replace Safe Harbour, which was ruled invalid by the European Court of Justice in a bombshell decision last October.
After that verdict, national data protection authorities gave the Commission a deadline of the end of January to set up a new agreement.
Many companies that relied on Safe Harbour to transfer consumer data to the US shifted to alternative legal setups, like binding corporate rules and standard contractual clauses.
Business groups already signalled their relief that the watchdogs aren’t moving to shut down those kinds of data transfers before the new privacy shield goes into effect.
“This announcement has provided businesses operating across all sectors of the economy with the reassurance and legal certainty they needed,” said John Higgins, director general of trade association DigitalEurope.Google, Microsoft and several other large technology companies are members of the association.
Falque-Pierrotin told journalists that the group of privacy authorities asked the Commission to share the written text of the new agreement by the end of February.
The group will hold an extraordinary meeting in late March or early April to decide how they’ll approve data transfers and field privacy complaints under the agreement. They’ll also decide whether to continue allowing binding corporate rules and standard contractual clauses for data transfers to the US.
“We can’t just accept words,” Falque-Pierrotin said.
“It’s difficult to come to a conclusion when you’re facing political will but no real documents,” she added.
The privacy chief emphasised that the Commission hasn’t yet shared many details about the agreement with the group of national authorities.
“The legal format of the arrangement is still unclear for us,” Falque-Pierrotin said.
National watchdogs are still in the dark over whether they will be able to suspend the agreement if the US is caught breaking the rules—or if that power will be reserved for the Commission. EU Justice Commissioner V?ra Jourová announced that the agreement will allow the EU to put a stop to the deal.
Falque-Pierrotin also expressed concern that the agreement could be altered when a new US president is elected later this year.
But Jourová told the group of privacy watchdogs earlier today that “there are elements and procedures in place in the shield in order to prevent this”, according to Falque-Pierrotin.
Falque-Pierrotin was reelected as president of the group during a meeting yesterday. Germany was the only EU country represented by two watchdogs, its federal authority Andrea Voßhoff and the president of the German data protection conference and Hamburg authority Johannes Caspar.
The US-EU Safe Harbour agreement allowed over 4,000 companies to transfer data from the EU to the US - provided the companies guaranteed the data's security abroad. EU law considers data privacy protections to be inadequate in the US. In October 2015, the European Court of Justice (ECJ) ruled Safe Harbour to be invalid on grounds that government surveillance in the US threatens the privacy of EU citizens' data, and that there is no judicial redress for EU citizens whose data is accessed by state surveillance agencies in the US.
Since the ECJ decision, EU and US negotiators have sped up their talks to strike a new data transfer agreement. European data protection authorities from the 28 EU member states met after the ECJ decision, and asked the Commission to come up with a new deal by the end of January 2016. The data protection authorities are tasked with investigating and deciding on privacy complaints in their own member states.
- by the end of February 2016: the Article 29 Working Party asked the Commission to share the written EU-US privacy shield agreement with its members
- Article 29 Working Party: press release on consequences of the Safe Harbour judgment (3 February 2016)
- Article 29 Working Party: press conference on the EU-US privacy shield (3 February 2016)