On Tuesday 2 February, less than 24 hours after a tentative update to the European Parliament's LIBE committee, the European Commission announced that a political agreement had been reached on the replacement for Safe Harbor. Negotiators had been racing to meet a deadline set by the Article 29 Working Party, who met with Commissioner Jourova yesterday to discuss the proposal and agree a joint compliance response to the Schrems judgment. In a live press conference, Working Party Chair Isabelle Falque-Pierrotin confirmed that regulators would continue to permit transfers to the US based on Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) but warned that transfers still reliant on Safe Harbor were now illegal.
Experts from a number of Bird & Bird offices provided a second webinar on Wednesday 3 February to analyse the Privacy Shield and announcements, and answer a number of questions on how businesses should react. This has been recorded and is available at the link below.
In October 2015, the CJEU ruled in case C-362/14 Schrems v Data Protection Commissioner that the EU Commission's Safe Harbor decision was invalid. For a full summary of the facts and an analysis of that judgment, please see our bulletin here. Later that month, the Article 29 Working Party - comprised of representatives of Member State DPAs, the European Data Protection Supervisor and the European Commission - issued a non-binding press release on the implications of the judgment. This press release gave the Commission and US until the end of January to find an appropriate solution, warning that failure to resolve issues raised in the judgment on the wider state of US law and practice would result in Working Party consideration of the validity of all transfers to the US (including transfers under SCCs and BCRs). The Working Party were due to discuss the validity of US transfers under SCCs and BCRs in their meeting on 2-3 February 2015.
The Commission announced that a political agreement had been reached between Commissioner Jourova and the US Secretary of Commerce, Penny Pritzker. Some details of this agreement were released in a high-level press release, with limited further detail provided by the Commissioner in her presentation to the LIBE Committee on Monday and her press conference on Tuesday. A summary of what we know of the proposal, titled the "EU-US Privacy Shield", is set out below.
The Commission press release can be found here.
The Article 29 Working Party have reacted to the Commission proposal by delaying their discussion on transfers to the US under SCCs and BCRs until they have been given more detail on the new framework. The Working Party has set a new three week deadline to receive final drafts, allowing them to work towards a final decision on US transfers under the framework, SCCs and BCRs by mid-late April 2016. They have agreed that transfers to the US under SCCs and BCRs will remain valid until then, and have set out the four "guarantees" that must be met.
The Working Party press release can be found here.
Safe Harbor is conclusively dead – Isabelle Falque-Pierrotin was categorical in her press conference that transfers still basing their adequacy on Safe Harbor were illegal. Some jurisdictions may now see enforcement action where companies have taken no action, particularly if complaints are received, although it was clear that enforcement was an area of little agreement between DPAs. Although some DPAs had indicated that SCCs and BCRs were no longer acceptable for US transfers, they are expected to withhold action in this area until the Working Party meet to discuss the Commission proposal.
Companies that have held back on changing their international transfer approach in hope of a quick "Safe Harbor 2.0" fix should now give serious thought to signing SCCs or adopting BCRs – albeit that these are not guaranteed to survive Working Party scrutiny in the spring. The other practical alternative is the relocation of services – a number of large cloud providers have hastened moves to provide EU located servers and support. Realistically, the Privacy Shield is unlikely to be available before the summer even assuming a smooth adoption. Consent will not be a viable option for regular and systematic transfers, and was not mentioned as a viable alternative during the Working Party press conference.
The Working Party has set a deadline of three weeks for the Commission to provide it with final drafts for evaluation. We can hope for more concrete details of proposals to be published or leaked at this time. The Commissioner also explained that additional groundwork would be needed in the US to put in place safeguards agreed in negotiations. More details of those changes may appear in due course.
A number of LIBE Committee members reacted with hostility to the initial announcements, and the lack of detail about the proposals provided thus far means it is impossible to predict whether the Working Party will accept the Privacy Shield, or allow the continuation of US transfers under SCCs and BCRs. The Working Party has announced the four "guarantees" it will assess against, namely:
What does seem clear is that the Privacy Shield will be subject to prompt legal challenge if implemented.
The Working Party has indicated that these four "guarantees" can and should be applied to intelligence and security activities of any nation – however, there is currently no suggestion that the practices of other countries will be measured against these standards in the near future.
The new "EU-US Privacy Shield" seeks to address key findings of the CJEU judgment by implementing:
"Strong obligations on companies handling Europeans' personal data and robust enforcement"
"Clear safeguards and transparency obligations on US government access"
Main Safe Harbor page >