EU Data Protection Authorities Issue Statement Following Agreement on EU-U.S. Privacy Shield

On February 3, 2016, the body of European data protection regulators—called the "Article 29 Working Party" (WP29)—issued a statement following the announcement of a political agreement regarding a new transatlantic data transfer scheme, the EU-U.S. Privacy Shield.1 This is the second guidance document2 issued by the WP29 following the invalidation of the EU-U.S. Safe Harbor Framework Agreement (Safe Harbor) by the Court of Justice of the European Union (CJEU) on October 6, 2015, in Maximillian Schrems v. Data Protection Commissioner.3

Guidance from the WP29 is a good indication of how EU data protection authorities are likely to interpret the law, but it is not legally binding on national data protection authorities or national courts.

In sum, the WP29 said that it welcomes the announcement of the Privacy Shield, but it will now review it carefully in light of Schrems. In parallel, the WP29 is reviewing EU Standard Contractual Clauses (SCC) and Binding Corporate Rules (BCRs), the other legal bases for transferring data to the U.S. The WP29 confirmed that data transfers under Safe Harbor are unlawful, but that SCC and BCRs remain valid for now. The WP29 is expected to issue its opinion regarding the validity of the Privacy Shield, SCC, and BCRs by the end of March 2016 at the earliest. This creates significant legal uncertainty for business.

Additional details regarding the WP29 statement are set forth below:

  1. The WP29 reiterates that the Safe Harbor is not a valid data transfer mechanism. Data transfers under the Safe Harbor lack a legal basis and are unlawful under EU law.
  2. In Schrems, the CJEU considered the access of U.S. intelligence services to EU citizens' personal data as a key factor in invalidating the Safe Harbor. According to the WP29, Schrems requires four essential guarantees for intelligence data processing activities to comply with EU data protection law:
    1. Transparency: The processing should be based on clear, precise, and accessible rules
    2. Proportionality: The processing needs to be proportionate and necessary in light of the objectives pursued
    3. An independent oversight mechanism should exist that is both effective and impartial
    4. Effective remedies need to be available to the individual
  3. The WP29 welcomes the political agreement on the Privacy Shield, but states that it will need to see the actual terms of the agreement to review them in light of Schrems and the four guarantees described above.
  4. The WP29 requests that the EU Commission provide the terms and commitments of the Privacy Shield before the end of February 2016.
  5. The WP29 confirmed that it is reviewing the validity of other data transfer mechanisms in light of Schrems. In particular, the WP29 plans to assess to what extent the terms and commitments of the Privacy Shield can be extended to other transfer mechanisms, in particular SCC and BCRs.
  6. The WP29 indicates that national data protection authorities will handle complaints related to alleged unlawful data transfers to the U.S. on a case-by-case basis.

We will continue to monitor and update you on any new developments in this area.


2 See our WSGR Alert on the first statement of the Working Party 29 from October 16, 2015: https://www.wsgr.com/WSGR/Display.aspx?SectionName=publications/PDFSearch/wsgralert-schrems-statement.htm.
3 See the CJEU Judgment, delivered on October 6, 2015, in Case C-362/14 Maximillian Schrems v. Data Protection Commissioner (request for a preliminary ruling from the High Court (Ireland)), available at: http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=1&part=1&mode=req&docid=169195&occ=first&dir=&cid=111628.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Wilson Sonsini Goodrich & Rosati | Attorney Advertising

Written by:

Wilson Sonsini Goodrich & Rosati
Contact
more
less

Wilson Sonsini Goodrich & Rosati on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide