On February 5, 2016, Article 29 Working Party member and head of the Hamburg Data Protection Authority, Prof. Dr. Johannes Caspar, spoke about the EU-US Privacy Shield.
Caspar observed that, once approved, the EU-US Privacy Shield system will initially be valid regardless of the decision of the European data protection authorities (DPAs). This is because the Privacy Shield will remain in force as long as it is not brought before the Court of Justice of the European Union (CJEU) and declared invalid by the judges, as was done with the Safe Harbor framework in October 2015.
Caspar expects the Privacy Shield agreement to be published by the end of February, expressed disappointment with the outcome of the negotiations that resulted in the Privacy Shield. In his view, the DPAs are likely to classify the Privacy Shield as insufficient to ensure the appropriate level of protection for the transfer of personal data from the EU to the US. Moreover, Caspar believes that any new agreement in this regard would require preliminary legislative changes in the US, which is unlikely to happen at the moment.
Caspar expects DPAs to determine in April whether the Privacy Shield affords sufficient protections for the cross-border transfer of personal data. If not, the DPAs will likely grant an additional grace period of several months, giving companies time to adjust their processing of personal data so as to either stop exporting EU personal data to the US, or implement Standard Contractual Clauses (Model Clauses) or Binding Corporate Rules (BCRs). Caspar said that following the grace period, the DPAs may start to conduct inspections of EU companies transferring data to the US “without suspicion” (i.e., without knowing on what legal basis these companies transfer their data and without any individual complaint).
Caspar also believes that the DPAs will probably conduct an assessment of the Model Clauses and BCRs, currently the only viable legal instruments for EU data transfers to the US, and that the DPAs will possibly challenge these instruments before the CJEU.
Finally, Caspar emphasized that the DPAs are not willing to preserve any of the legal instruments just for the sake of having a mechanism in place.
Our Take
The German DPAs have consistently taken a dim view of the state of cross-Atlantic data transfers, and Caspar’s position underscores the tensions that persist within WP29 on this topic. In fact, Caspar’s lack of optimism contrasts with the position of the European Commission and the UK’s ICO. We will continue to provide updates as the Privacy Shield framework winds its way through the approval process.
To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.
