Art. 29 Working Party Cautious on Privacy Shield Deal

The Internet Law Resource Center™ is the complete information solution for practitioners in cyberlaw. Follow the latest developments on ICANN’s gTLD program, keyword advertising, online privacy,...

By Stephen Gardner

Feb. 3 — The Article 29 Working Party of European Union member state data protection commissioners Feb. 3 gave a guarded response to the Feb. 2 announcement of an agreement with the U.S. to replace the invalidated U.S.-EU Safe Harbor framework.

Speaking at a briefing in Brussels, Isabelle Falque-Pierrotin, chairwoman of the Art. 29 Working Party and president of France's data protection authority, said that the newly agreed EU-U.S. Privacy Shield was welcome.

However, she said, no written agreement had been so far provided by the European Commission, the EU's executive arm, and the Art. 29 Working Party could therefore say nothing definite on the compliance of the arrangement with EU data protection law.

Falque-Pierrotin said that any company that was certified under Safe Harbor which continues to transfer data to the U.S. without alternative arrangements—such as binding corporate rules (BCRs) or standard contractual clauses (SCCs)—is technically breaking EU law and could face enforcement action. For the time being, she added, companies that have adopted BCRs or SCCs would be able to continue using them as valid transfer mechanisms.

Whether enforcement measures, including possible forbidding of data transfers, would be triggered “depends on the DPA,” and “depends if they have complaints,” she added.

However, the threat of “coordinated enforcement actions,” which DPAs said in October 2015 that they would take if a replacement arrangement for Safe Harbor wasn't in place by Jan. 31, seem to have receded .

Need Documents by End of February

The European Court of Justice Oct. 6, 2015 invalidated the 15-year old U.S.-EU Safe Harbor program, over concerns about U.S. government access to data transferred to the U.S. by U.S.-based companies and for failing to offer redress safeguards to EU citizens over allegations of misuse of their data . The invalidation of Safe Harbor affected some 4,400 U.S. companies certified in the program as well as thousands of EU companies that relied on the certification to transfer personal data to those companies.

Although the court ruling was specific to Safe Harbor, it brought BCRs and SCCs into question on the same grounds of government access to data and lack of redress.

Falque-Pierrotin said that the Article 29 Working Party needed more time to assess BCRs and SCCs in the context of the Privacy Shield agreement because the new Privacy Shield safeguards and redress opportunities could “remove some concerns about other transfer tools.”

As of now, however, the Privacy Shield consists of “verbal commitments,” and “to be honest we don't know a lot; the legal format of the arrangement is still unclear to us,” Falque-Pierrotin said.

She added that the Art. 29 Working Party wanted to have all relevant documentation on the Privacy Shield by the end of February, when it would assess the options for “all personal data transfers to the U.S.”

Proper Assessment by End of March

The Art. 29 Working Party had been due to publish the results of an analysis of the impact of the ECJ's ruling on BCRs and SCCs, which might be vulnerable on similar grounds to Safe Harbor.

However, the analysis of BCRs and SCCs would be deferred until the Art. 29 Working Party could properly assess the proposed Privacy Shield arrangement, which would likely be done by the end of March, Falque-Pierrotin said.

Eduardo Ustaran, a partner with Hogan Lovells in London, told Bloomberg BNA Feb. 3 that the decision to delay an assessment of the validity of BCRs and SCCs “just extends the uncertainty” about data transfers to the U.S.

“By implication, they are saying that if the Privacy Shield isn't good enough, then the model clauses [SCCs] aren't going to be good enough either,” Ustaran said.

“We were hoping that the Working Party would clarify to what extent” companies could continue to rely on SCCs, but it hadn't done so, he added.

Four Essential Guarantees

Falque-Pierrotin said that when the Art. 29 Working Party was in a position to assess the Privacy Shield agreement, it would do so on the basis of its compliance with four “essential guarantees” for transfers of EU citizens' data.

The four essential guarantees are that there should be precise rules for processing, that any government access to data should be governed by the principles of necessity and proportionality, that there should be independent oversight mechanisms and that “there must be some kind of effective remedies open to individuals.

Outlining the Privacy Shield, the European Commission Feb. 2 covered all of these areas. On oversight of government access to data, for example, the Privacy Shield would create an ombudsman to whom complaints could be referred, according to the commission .

Falque-Pierrotin said the ombudsman for government access to data was “a very good idea in a very delicate area,” and a “very good sign” from the U.S. intelligence services, but required analysis of its precise details.

She added that the four guarantees for transferred data “constitute a kind of European standard” that would be relevant for all transfers, including those between companies in EU countries.

Not Convinced

An official from one EU DPA, who asked not to be identified, told Bloomberg BNA Feb. 3 that despite the commission's assurances, the Privacy Shield might fall short against the test of the four guarantees, and “I'm not convinced by what I've seen so far” of the new arrangement.

The lack of details about the Privacy Shield could be down to “bad communication from the commission,” the official said. “We have two more difficult months ahead of us. We're not activists, we're lawyers so we need to do this carefully,” the official said.

Claude Moraes, the chair of the European Parliament's Civil Liberties, Justice and Home Affairs (LIBE) committee, also expressed skepticism Feb. 3.

Safe Harbor had contained loopholes “with regards to fundamental rights,” and “we are still deeply concerned that this new arrangement doesn't satisfy these loopholes,” Moraes said in a Feb. 3 statement.

One company that relies on transfers of data said, because of uncertainty about EU-U.S. arrangements, it wouldn't transfer its EU user data to the U.S.

Aytekin Tank, chief executive officer of San Francisco-based JotForm, which provides online form templates, said Feb. 2 that it was “not entirely clear” if the Privacy Shield would be “accepted by all EU countries,” and “we believe that the permanent solution for U.S. companies is to keep user data in Europe.”

To contact the reporter on this story: Stephen Gardner in Brussels at correspondents@bna.com

To contact the editor responsible for this story: Jimmy H. Koo at jkoo@bna.com