On February 3rd, the Article 29 Working Party, representing Europe’s data protection authorities, published its reaction to the announcement of a new “Privacy Shield” political agreement between the European Commission and the U.S. Government. The Privacy Shield agreement, announced on February 2nd (and further described in our blog post here), is intended to replace the now-defunct Safe Harbor Framework, and may form a future legal basis for transatlantic data flows between Europe and the United States.
Before the Privacy Shield agreement can enable data flows, the content of the agreement will be scrutinized by the regulators represented in the Working Party. In a press release, available here, the Working Party said that it welcomed the agreement, and would now assess whether the protections it envisages – including rights of redress for European citizens and a new ombudsman mechanism – would be sufficient to meet the criteria that were laid down by the Court of Justice of the European Union (CJEU) in the judgment that invalidated the U.S.-EU Safe Harbor. In particular, the Working Party stressed that it would assess the Privacy Shield in light of four criteria, and, in doing so, would bear in mind the potential access and use by U.S. intelligence agencies of data transferred to the United States via the Privacy Shield. The four criteria, rephrased as questions, are summarized here:
- Does the Privacy Shield establish “clear, precise, and accessible rules” for the transfer and processing of data, so that affected individuals (individuals to whom data that has been transferred to the United States under the Privacy Shield refer) can be informed and anticipate in advance how data relating to them will be handled?
- Does the Privacy Shield establish protections to ensure that transferred data is processed only as “necessary” and “proportionate” to achieve the legitimate objectives of the processing, in ways that balance the rights of individuals and the needs of national security?
- Does the Privacy Shield establish an “impartial, effective and independent” oversight mechanism?
- Does the Privacy Shield provide for “effective remedies” for individuals whose data protection rights have been infringed?
We understand that the Working Party hopes to receive all of the documents necessary to complete this assessment from the European Commission by the end of February; then, likely in March or early April, the Working Party will hold an extraordinary plenary session on these questions.
Notably, the Working Party also said that it would consider how the Privacy Shield might impact the validity of other transfer mechanisms – presumably including the model clauses (SCCs) and binding corporate rules (BCRs). The Working Party also said it would further consider the basic validity of both of these other transfer mechanisms (in light of the CJEU’s criteria as applied to the U.S.-EU Safe Harbor) following the March plenary.
In the meantime, the Working Party also reiterated that transfers based on the defunct Safe Harbor are invalid, and that flows of data from the European Union to the United States must now be based on alternative legal mechanisms.