Following the announcement by the European Commission of the newly agreed EU-US Privacy Shield, the missing piece of the jigsaw was the Article 29 Working Party’s stance on the adequacy of the existing mechanisms in place—in particular, standard contractual clauses and binding corporate rules (BCR). So after two days of intense discussions, the Working Party has issued a statement with its latest position, which is the follow up to their original reaction to the invalidation of Safe Harbor last October. The bottom line: the Working Party still does not view US government surveillance laws as sufficiently protective of privacy—a position which calls all transfers of personal data to the US in question, regardless of the methods used to legitimise the transfer—but they will reconsider this position in light of the Privacy Shield in the coming months.
The statement starts on a positive note by saying that the Working Party welcomes the conclusion of the negotiations between the EU and the US on the introduction of a new Privacy Shield—although it acknowledges that it has not seen its content.
The Working Party then goes on to say that over the past weeks, it has analysed the robustness of the other existing transfer tools by reference to the criteria of the laid out by the Court of Justice of the European Union (CJEU), namely:
- Transparency – Processing should be based on clear, precise and accessible rules.
- Necessity and proportionality – A balance needs to be found between the need for government access to data and the rights of the individual.
- Independent oversight – A judge or another independent body should be able to carry out the necessary checks.
- Effective remedies – Individuals should have the right to defend their privacy rights before an independent body.
Taking all of this into account, the position of the Article 29 Working Party in relation to its assessment of the validity of standard contractual clauses and BCR to legitimise data transfers out of the EU is essentially as follows:
- The current US legal framework dealing with access to data by government, law enforcement and intelligence agencies does not meet the data privacy standards set by the CJEU.
- However, the Working Party is prepared to assess whether the recently agreed EU-US Privacy Shield changes this. In particular, the Working Party will be assessing whether the assurances given by the US government that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms, are sufficiently robust to alleviate the current concerns.
- The Working Party will carry out this assessment once the details of the Privacy Shield agreement are made available by the European Commission (requested by the end of February), so the outcome of the assessment is expected at some point in April.
- The implication is that if the US government’s assurances are strong enough to meet the CJEU’s standards, standard contractual clauses and BCR will be regarded as valid mechanisms to legitimise international data transfers.
- But if on the other hand, the US government’s assurances do not meet the CJEU’s standards, then standard contractual clauses and BCR will not be sufficient to legitimise data transfers to the US.
In summary, today’s statement extends the uncertainty under which we have lived since October for another two months. In the meantime, from an enforcement perspective, the Working Party has also confirmed that EU data protection authorities will deal with related cases and complaints on a case-by-case basis.