On February 3, 2016, the Article 29 Working Party (WP29) released a statement on the consequences of the Schrems judgment, following an assessment of the legal framework and the practices of US intelligence services. The WP29 expressed continuing concerns about the US framework for processing personal data for intelligence purposes, in spite of recent reforms.
The statement comes on the heels of the European Commission’s announcement that an agreement had been reached with the US on a new “EU-US Privacy Shield” to replace the Safe Harbor framework. In its statement, the WP29 welcomed the agreement on the EU-US Privacy Shield, but stopped short of endorsing it. The WP29 announced that it will review the EU-US Privacy Shield to determine whether the proposed framework provides sufficient privacy protections to assuage Europe’s ongoing concerns about US privacy protections. Unfortunately, the WP29 did not specify when it intends to complete its review. However, the WP29 Chairwoman stated that there will be an extraordinary plenary meeting of the WP29 towards the end of March 2016, where WP29 would aim to conclude its analysis and then finalise its position on the Privacy Shield in the last two weeks of April.
The WP29’s review will also concern other data export regimes, in particular Model Clauses and Binding Corporate Rules, but these regimes remain valid for exports of data to the US to the US (at least until the review is complete).
WP29 assessment of the US regime
The WP29 assessment was conducted in view of European jurisprudence on fundamental rights, which, according to the WP29, sets forth four essential guarantees in relation to processing of personal data for intelligence purposes:
- Processing based on clear, precise and accessible rules
- Demonstrated necessity and proportionality with regard to the legitimate interests
- The existence of an independent oversight mechanism that is both effective and impartial
- The existence of effective remedies available to individuals
According to the WP29, these guarantees should be respected whenever transfers are made from the EU, whether to the US or any other country. It also noted that these guarantees should be respected by EU member states. While acknowledging the progress made in the US over the past two years, the WP29 noted that it continues to have reservations about the US privacy regime’s ability to meet the four guarantees, particularly in relation to the scope of surveillance and remedies.
EU-US Privacy Shield
The WP29 stated its willingness to analyse the agreement reached between the European Commission and the US yesterday. The WP29 is particularly keen to establish whether its concerns over the current US regime can be assuaged by the provisions of the EU-US Privacy Shield, which involves additional protections in respect of US surveillance practices.
The WP29 has requested that the Commission provide all documents relevant to the new agreement by the end of February in order for it to complete its assessment of the EU-US Privacy Shield at an extraordinary plenary meeting.
Current status of transfer mechanisms
Currently, the WP29 regards mechanisms such as EU Model Clauses and Binding Corporate Rules as effective in governing transatlantic transfers of personal data. However, the statement makes clear that, as part of the Privacy Shield review, the WP29 will also consider whether these mechanisms continue to be effective.
Data protection authority enforcement
The WP29 statement is unclear on the Data Protection Authorities’ position on enforcement at this point. It reiterates that transfers cannot be undertaken on the basis of the invalidated EU-US Safe Harbor mechanism. The statement does not, however, signal coordinated proactive enforcement against exporters that have not put in place alternative transfer solutions. Instead, Data Protection Authorities will “deal with cases and complaints on a case by case basis,” suggesting that data protection authorities will not seek out enforcement cases on their own initiative (this is the same wording used in its 16 October 2015 moratorium).
Our take
As mentioned in our post on the EU-US Privacy Shield, it is too soon for companies that transfer personal data from the EU to the US to be optimistic about the proposed framework. The WP29 statement makes clear that it still has concerns about the US regime, and it is by no means guaranteed that the national Data Protection Authorities that comprise the WP29 will approve the framework. The Data Protection Authorities’ assent to the framework is critical to how the EU-US Privacy Shield will work in practice. Of further concern to companies transferring personal data to the US is the threat that the WP29 finds that mechanisms such as EU Model Causes and Binding Corporate Rules (which companies have put in place to support cross-border data transfers in the aftermath of Schrems), will themselves be deemed inadequate, effectively rendering any transfer of personal data to the US illegal. We think this scenario is unlikely, given the close relationship between the EU and the US and the economic benefits that the EU and US enjoy through allowing global businesses to transfer data.
We are still some months away from an EU-US Privacy Shield that can actually be adopted and used as an export solution. This means that exporters have little choice but to put in place EU Model Clauses, Binding Corporate Rules or assess whether their transfers can fall within a derogation.
Finally, it is clear that a Pandora’s box has been opened through the articulation of intelligence processing standards which may not be met in other countries. If the WP29 concludes that EU Model Clauses and/or Binding Corporate Rules are not effective export solutions to the US due to the US not meeting those standards, such a conclusion will have the potential to affect exports made under those mechanisms to other non-EEA countries, which also do not meet those standards. The Schrems judgment’s legacy may continue affecting the privacy space in Europe and globally for some time yet.
To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.
