Almost four months after the EU Court of Justice declared the European Commission’s Safe Harbor decision invalid, Commissioner Jourová announced its successor on 2 February 2016: the EU-US Privacy Shield (Privacy Shield). But so far the Privacy Shield is merely a political consensus resulting from long negotiations.
While the progress made by the EU and US must be recognised, the Privacy Shield does not yet pose a solution to transatlantic data transfers nor can it be labelled a new transfer mechanism. In fact, little is known about the contents of the Privacy Shield framework. Without further details and underlying documentation, companies and consumers remain without any real practical guidance on “Safe Harbor 2.0”. At present and at least for the months to come, unamended Standard Contractual Clauses (SCC) and binding corporate rules (BCR) remain the only realistic transfer mechanisms.
The EU-US Privacy Shield: what it means
The Privacy Shield is intended to facilitate the transfer of personal data between an EU data exporter and a data importer located in the US. It is designed as a regulatory two-way street, built from three core elements that will need to be refined in the near future:
1. Strong obligations on the data importer and robust enforcement
2. Clear safeguards and transparency for US government access
3. Effective protection of EU citizens’ rights and right to redress
Yet no reason to rest assured
Commissioner Jourová expressed her ambitious belief that the Privacy Shield will be implemented within a few months. In that time, these are the steps to be taken:
The Privacy Shield may still have a long way to go
In its reaction to the Privacy Shield, the WP29 expressed its concerns on whether the new agreement will be able to guarantee the minimum requirements the WP29 sees fit. Moreover, the WP29 indicated that it can only complete its assessment on the Privacy Shield once it has access to all underlying documents. Therefore, the WP29 has called on the Commission to submit all documents pertaining to the Privacy Shield by the end of February.
The WP29 has stated that they want to see and evaluate all legal documents of the deal by the end of February. Given the work that still needs to be done on both sides of the Atlantic, it remains questionable whether the EU and the US will be able to meet this deadline. In the past days, various EU and US officials named various terms for when the finalisation of the new framework can be expected: from three months to even up to a year.
At least for now, continue to base your transatlantic data transfers on SCC or BCR
While the Privacy Shield is expected to at some point in the future become a viable legal mechanism for transatlantic data transfer, it remains to be seen whether companies will actually be able to rely on it anytime soon. Contrary to what some suppliers allege or imply, the Privacy Shield is nowhere near being able to be executed. Moreover, it will provide for a “living” mechanism that will be reviewed annually. Hence, companies that chose in the future to rely on the Privacy Shield may face the risk of having to re-evaluate their processing on an annual basis. We advise companies for now to continue to focus their efforts on SCC or BCR as the transfer mechanism for all of their data transfers.
Read more in our Legal Alert of 16 October 2015.