On 3 February, the Article 29 Working Party (‘WP29’), a group comprising representatives of the EU Member States’ Data Protection Authorities (‘DPAs’), issued a statement cautiously welcoming the agreement on an “EU-U.S. Privacy Shield”. If it is formally adopted, the Privacy Shield will replace the Safe Harbor agreement that was declared invalid by the EU’s highest court in Maximillian Schrems v Data Protection Commissioner (Case C-362/14).
Will the non-enforcement “grace period” be extended?
What will the national DPAs do, now that the 31 January deadline for businesses to implement alternative transfer mechanisms has passed? The WP29’s statement is not explicit – it reiterates that transfers to the United States cannot take place on the basis of the invalidated Safe Harbor decision. However, it states that EU data protection authorities will deal with related cases and complaints “on a case-by-case basis”. It makes no mention of the “coordinated” enforcement efforts mentioned previously, but it would be prudent to assume we will see enforcement action from some of the DPAs.
Other transfer mechanisms also to be scrutinised
The WP29 also appears to cast uncertainty over the use of Standard Contractual Clauses and Binding Corporate Rules. In its statement, it sets out that in the coming weeks it will consider whether these transfer mechanisms can still be used for personal data transfers to the United States. However, it reassures that “in the meantime, [it] considers that this is still the case for existing transfer mechanisms”.
Residual concerns over current U.S. intelligence practices
The WP29 notes that efforts at improvement have been made by the United States, but concerns remain over the current U.S. legal framework and practices of U.S. intelligence agencies.
The statement highlights four essential guarantees for intelligence activities which must be respected whenever personal data is transferred from the EU to the United States. The WP29 considers that the current U.S. regime fails to satisfy these, and cautions that the Privacy Shield framework will be assessed against these guarantees to see if it can alleviate its concerns.
What next?
The WP29 has requested all relevant Privacy Shield documents by the end of February. It will then complete its own assessment in the coming weeks. In the meantime, despite the agreement on the Privacy Shield, uncertainty over “safe” data transfer mechanisms to the United States has increased rather than diminished.