Data protection watchdogs from around the EU have reassured companies that they can continue transferring personal data to the US under alternative legal means—at least for the time being while the EU nails down details on its new ‘privacy shield’.
“Until we have analysed the content of the arrangement and the possible consequences on the other transfer tools we will allow data controllers to use the BCRs [binding corporate rules] and standard contractual clauses,” said Isabelle Falque-Pierrotin, president of the Article 29 Working Party, which represents the powerful privacy authorities from EU member states.
The European Commission yesterday (2 February) announced the ‘EU-US privacy shield’, a new arrangement to replace Safe Harbour, which was ruled invalid by the European Court of Justice in a bombshell decision last October.
After that verdict, national data protection authorities gave the Commission a deadline of the end of January to set up a new agreement.
Many companies that relied on Safe Harbour to transfer consumer data to the US shifted to alternative legal setups, like binding corporate rules and standard contractual clauses.
Business groups already signalled their relief that the watchdogs aren’t moving to shut down those kinds of data transfers before the new privacy shield goes into effect.
“This announcement has provided businesses operating across all sectors of the economy with the reassurance and legal certainty they needed,” said John Higgins, director general of trade association DigitalEurope.Google, Microsoft and several other large technology companies are members of the association.
Falque-Pierrotin told journalists that the group of privacy authorities asked the Commission to share the written text of the new agreement by the end of February.
The group will hold an extraordinary meeting in late March or early April to decide how they’ll approve data transfers and field privacy complaints under the agreement. They’ll also decide whether to continue allowing binding corporate rules and standard contractual clauses for data transfers to the US.
“We can’t just accept words,” Falque-Pierrotin said.
“It’s difficult to come to a conclusion when you’re facing political will but no real documents,” she added.
The privacy chief emphasised that the Commission hasn’t yet shared many details about the agreement with the group of national authorities.
“The legal format of the arrangement is still unclear for us,” Falque-Pierrotin said.
National watchdogs are still in the dark over whether they will be able to suspend the agreement if the US is caught breaking the rules—or if that power will be reserved for the Commission. EU Justice Commissioner V?ra Jourová announced that the agreement will allow the EU to put a stop to the deal.
Falque-Pierrotin also expressed concern that the agreement could be altered when a new US president is elected later this year.
But Jourová told the group of privacy watchdogs earlier today that “there are elements and procedures in place in the shield in order to prevent this”, according to Falque-Pierrotin.
Falque-Pierrotin was reelected as president of the group during a meeting yesterday. Germany was the only EU country represented by two watchdogs, its federal authority Andrea Voßhoff and the president of the German data protection conference and Hamburg authority Johannes Caspar.